Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans And Lops


  • This topic is locked This topic is locked
39 replies to this topic

#1 Booman

Booman

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 28 December 2007 - 06:21 PM

Every 5 mins i keep getting Trojan alerts from AVG Free Edition And Lops. It wont leave me alone. I am Running NoLop! and it found something.

here is an img a took with donationcoders' ScreenShot Capture

http://i229.photobucket.com/albums/ee189/d...fman/virlop.jpg
http://i229.photobucket.com/albums/ee189/d...olfman/lop2.jpg
http://i229.photobucket.com/albums/ee189/d...man/virlop3.jpg

here is my HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:50, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Documents and Settings\Jeff Crooks\Desktop\ewido_micro.exe
C:\Documents and Settings\Jeff Crooks\Desktop\NoLop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

--
End of file - 6983 bytes


here is my combofix log

ComboFix 07-12-21.4 - Jeff Crooks 2007-12-28 15:39:40.2 - NTFSx86
Running from: C:\Documents and Settings\Jeff Crooks\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 13:42 . 2007-12-28 13:42 <DIR> d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Comodo
2007-12-28 13:42 . 2007-12-28 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-28 13:42 . 2007-12-28 13:41 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-28 13:42 . 2007-12-28 13:41 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-28 13:42 . 2007-12-28 13:41 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-28 13:41 . 2007-12-28 13:41 <DIR> d-------- C:\Program Files\COMODO
2007-12-28 13:24 . 2007-05-14 12:34 788,176 --a------ C:\WINDOWS\system32\ZDelete.dll
2007-12-28 12:53 . 2007-12-28 13:13 <DIR> d-------- C:\Documents and Settings\Jeff Crooks\Application Data\AVG7
2007-12-28 12:51 . 2007-12-28 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 22:55 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-24 22:55 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-24 18:47 . 2007-12-24 18:47 <DIR> d-------- C:\Documents and Settings\Jeff Crooks\Application Data\gtk-2.0
2007-12-24 18:47 . 2007-12-24 18:47 <DIR> d-------- C:\Documents and Settings\Jeff Crooks\.thumbnails
2007-12-24 13:54 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2007-12-23 20:49 . 2007-12-24 18:48 <DIR> d-------- C:\Documents and Settings\Jeff Crooks\.gimp-2.4
2007-12-23 20:47 . 2007-12-23 20:47 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-12-17 07:56 . 2007-12-17 07:56 7,227,813 --a--c--- C:\Temp\FreeVideoToMp3Converter.exe
2007-12-16 22:19 . 2007-12-16 22:19 <DIR> d-------- C:\Program Files\Logitech
2007-12-16 22:19 . 2007-12-16 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-16 22:19 . 2007-12-16 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-12-16 18:18 . 2007-12-16 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-16 18:17 . 2007-12-17 07:56 <DIR> d-------- C:\Program Files\DVDVideoSoft
2007-12-16 18:17 . 2007-12-17 07:57 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2007-12-15 18:00 . 2007-12-15 18:01 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-15 17:58 . 2005-07-12 08:33 32,768 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2007-12-15 17:58 . 2005-07-12 08:33 20,480 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2007-12-15 17:57 . 2007-12-15 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-15 17:57 . 2003-03-11 17:26 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2007-12-15 17:57 . 2003-03-11 17:26 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2007-12-15 17:57 . 2003-03-11 17:26 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2007-12-15 17:57 . 2003-03-11 17:26 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2007-12-15 17:57 . 2003-03-11 17:26 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2007-12-15 17:57 . 2005-07-12 08:36 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2007-12-15 17:56 . 2007-12-15 17:59 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2007-12-15 17:55 . 2007-12-15 20:59 <DIR> d-------- C:\Program Files\Lx_cats
2007-12-15 17:55 . 2007-12-15 18:01 22,999 --a------ C:\WINDOWS\system32\LexFiles.ulf
2007-12-15 17:53 . 2005-08-17 01:46 1,214 -ra------ C:\WINDOWS\system32\lxcg.loc
2007-12-15 17:52 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-12-15 17:52 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-12-15 17:52 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-15 17:52 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-15 17:51 . 2007-12-16 10:26 <DIR> d-------- C:\Program Files\Lexmark 2300 Series
2007-12-15 17:50 . 2007-12-16 10:26 <DIR> d----c--- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2007-12-15 17:50 . 2007-12-24 17:17 <DIR> d----c--- C:\Temp
2007-12-15 17:50 . 2007-12-15 17:52 867 --a--c--- C:\LXCGINST.csv
2007-12-15 17:49 . 2007-12-15 17:49 0 --a--c--- C:\lxcgfire.csv
2007-12-15 17:48 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-15 17:48 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-15 17:48 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-15 17:48 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-13 17:46 . 2007-12-13 17:46 <DIR> d-------- C:\Program Files\Cryptainer LE
2007-12-13 17:46 . 2007-07-13 19:05 100,728 --a------ C:\WINDOWS\system32\drivers\ssoftnt4.sys
2007-12-13 17:46 . 2007-01-24 18:45 74,240 --a------ C:\WINDOWS\system32\cryptainersrv.exe
2007-12-13 10:58 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-13 10:58 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-13 10:58 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-13 10:58 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-13 10:58 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-13 10:58 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-13 10:58 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-13 10:58 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-13 10:58 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-13 08:38 . 2007-12-13 08:38 653 --a--c--- C:\register.bat
2007-12-13 08:35 . 2007-12-13 11:58 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-12 23:29 . 2007-12-13 18:07 391 --a------ C:\WINDOWS\pandemicopts.ini
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 22:27 . 2007-12-07 22:27 294 ---hs---- C:\WINDOWS\system32\giyejdpv.ini
2007-12-07 22:19 . 2004-08-04 07:00 455,168 --a--c--- C:\WINDOWS\system32\dllcache\tintsetp.exe
2007-12-07 22:19 . 2004-08-04 07:00 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2007-12-07 22:19 . 2004-08-04 07:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-12-07 22:19 . 2004-08-04 07:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-12-07 22:19 . 2004-08-04 07:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\tsprof.exe
2007-12-07 22:19 . 2004-08-04 07:00 10,240 --a--c--- C:\WINDOWS\system32\dllcache\tmigrate.dll
2007-12-07 22:17 . 2004-08-04 07:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2007-12-07 22:17 . 2001-08-17 22:36 38,912 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_ntfsdrv.dll
2007-12-07 22:17 . 2004-08-04 07:00 11,264 --a--c--- C:\WINDOWS\system32\dllcache\pmxmcro.dll
2007-12-07 22:17 . 2004-08-04 07:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll
2007-12-07 22:15 . 2004-08-04 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2007-12-07 22:14 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-07 22:13 . 2003-03-24 16:52 188,480 --a--c--- C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-12-07 22:07 . 2007-12-07 22:07 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-07 22:07 . 2007-12-07 22:07 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-07 22:07 . 2007-12-07 22:07 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-12-07 22:07 . 2007-12-07 22:07 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-07 22:07 . 2007-12-07 22:07 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-12-07 22:05 . 2004-08-04 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-12-07 19:51 . 2004-08-04 07:00 14,821 --a------ C:\WINDOWS\system32\PINTLPAD.HLP
2007-12-07 16:08 . 2007-12-07 16:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-07 15:59 . 2007-12-07 15:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 21:14 . 2007-12-07 22:38 70,032 ---hs---- C:\WINDOWS\system32\vycdd.ini
2007-12-06 19:08 . 2007-12-06 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-06 18:51 . 2007-12-28 14:36 <DIR> d----c--- C:\VundoFix Backups
2007-12-05 19:58 . 2007-12-06 06:46 807,708 --ahs---- C:\WINDOWS\system32\bxukatdg.ini
2007-12-04 22:16 . 2007-12-04 22:16 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2007-12-04 19:59 . 2007-12-05 16:43 805,441 --ahs---- C:\WINDOWS\system32\hjoyuwan.ini
2007-12-02 20:02 . 2007-12-02 20:03 793,664 --ahs---- C:\WINDOWS\system32\wmgwypbu.ini
2007-12-02 12:07 . 2007-12-08 16:26 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-01 09:03 . 2007-12-01 12:57 793,664 --ahs---- C:\WINDOWS\system32\gcidrjlh.ini
2007-12-01 05:32 . 2007-12-07 22:25 70,112 ---hs---- C:\WINDOWS\system32\vycdd.bak2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 20:43 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\SiteAdvisor
2007-12-28 20:22 --------- d-----w C:\Program Files\ScreenshotCaptor
2007-12-28 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-25 15:26 --------- d-----w C:\Program Files\QuickTime
2007-12-23 20:25 --------- d-----w C:\Program Files\Weather Pulse
2007-12-18 23:31 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-18 23:30 --------- d-----w C:\Program Files\Mozilla Sunbird
2007-12-18 11:54 --------- d-----w C:\Program Files\MSN Messenger
2007-12-18 11:54 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-18 01:10 --------- d-----w C:\Program Files\Windows Live
2007-12-17 03:21 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-12-17 03:18 --------- d-----w C:\Program Files\Labtec
2007-12-17 01:48 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\Apple Computer
2007-12-16 23:01 --------- d-----w C:\Program Files\HyCam2
2007-12-14 21:42 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\OpenOffice.org2
2007-12-14 21:40 --------- d-----w C:\Program Files\DcUpdater
2007-12-13 03:32 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\Weather Pulse
2007-12-08 21:27 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\Yahoo!
2007-12-08 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-08 21:26 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2007-12-06 03:13 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\FileZilla
2007-12-03 22:13 --------- d-----w C:\Program Files\FileZilla Client
2007-12-01 14:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-01 01:42 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-21 18:32 --------- d-----w C:\Documents and Settings\Jeff Crooks\Application Data\Sierra
2007-11-21 18:29 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-21 18:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 17:57 --------- d-----w C:\Program Files\Sierra
2007-11-19 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-17 13:42 --------- d-----w C:\Program Files\InterActual
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 17:28 --------- d-----w C:\Program Files\Colorizer
2007-11-12 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-12 04:01 --------- d-----w C:\Program Files\AIM6
2007-11-12 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-12 03:57 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-09 22:35 --------- d-----w C:\Program Files\iTunes
2007-11-09 22:34 --------- d-----w C:\Program Files\iPod
2007-11-07 22:16 --------- d-----w C:\Program Files\Audacity
2007-11-05 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-05 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf
2007-11-04 15:04 --------- d-----w C:\Program Files\JoshMadison
2007-11-01 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
2007-10-05 22:18 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-24 00:54 8 --sha-r C:\WINDOWS\system32\00B5121E2E.sys
2007-09-24 00:59 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 01:27]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 23:05]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-08 18:38]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 18:45]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 01:29]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 12:48]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-28 12:55]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-28 13:41]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-28 12:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeff Crooks^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeff Crooks^Start Menu^Programs^Startup^Caledos Wallpaper (startup).lnk]
backup=C:\WINDOWS\pss\Caledos Wallpaper (startup).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\58889bd7]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-04-04 13:41 970752 --a------ C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2005-08-01 07:05 94208 --a------ C:\Program Files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
C:\Program Files\Lexmark Fax Solutions\fm3032.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 16:33 563984 --a------ C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam\Quickcam.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
2005-07-21 01:07 200704 --a------ C:\Program Files\Lexmark 2300 Series\lxcgmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
2007-08-13 13:05 36640 --a------ C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 03:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SiteAdvisor Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"Messenger"=2 (0x2)
"lxcg_device"=3 (0x3)
"LVCOMSer"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-28 13:41]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-28 13:41]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-23 09:06]
S3 cpuz128;cpuz128;C:\DOCUME~1\JEFFCR~1\LOCALS~1\Temp\cpuz_x32.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 20:00:01 C:\WINDOWS\Tasks\AEA207A390BDBF33.job"
- c:\docume~1\jeffcr~1\applic~1\axisco~1\WMA HEART SITE.exe
"2007-12-21 22:22:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 02:51:59 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-22 04:51:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-01 20:36:21 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 15:50:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?1?2?6??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2007-12-28 15:53:09 - machine was rebooted [Jeff Crooks]
.
2007-12-13 17:49:36 --- E O F ---

Any Help?

BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 29 December 2007 - 02:05 AM

Hello Booman and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 29 December 2007 - 11:43 AM

Ok i will just do that then

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 30 December 2007 - 01:02 PM

Hey Booman,

What is shown in the Screen shot #1 and #3 are files in System Restore and will be taken care off after finishing the cleaning process. #2 should have been taken care of by NoLop.

Please also note that ComboFix is a very advanced tool and should not be used without guidance. You may harm your pc, if used in an inapropriate manner (the Disclaimer is there for a reason :blink:).

Please uninstall Messenger Plus, as this is what caused you to have the Lop infection. If you really need it, you may install it again after the cleaning process - but do make sure you remove the sponsor (Lop) option that you are faced with during the install process :thumbsup: .

Step #1

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #2

Please download NoLop to your Desktop
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy".
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK.
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Please post the contents of C:\NoLop.log along with a fresh log from HijackThis. Let me know if you had any problems during the fix.

Step #3

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #4

Once you have done this please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Step #5

Please post back with the C:\NoLop.log log, the vundofix.txt,a fresh HijackThis log and the Uninstall list. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 30 December 2007 - 06:28 PM

Here is my HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:56 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff Crooks\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Jeff Crooks\Desktop\NoLop.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7425 bytes


Here is the Uninstall Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:56 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff Crooks\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Jeff Crooks\Desktop\NoLop.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7425 bytes


Here is the NoLop! Log

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Jeff Crooks\Desktop
[12/30/2007]
[6:07:31 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Uniblue
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Comodo
C:\Documents and Settings\All Users\Application Data\Donationcoder
C:\Documents and Settings\All Users\Application Data\Faxctr
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Logishrd
C:\Documents and Settings\All Users\Application Data\Logitech
C:\Documents and Settings\All Users\Application Data\Mailfrontier
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Corporation -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Sicomponents
C:\Documents and Settings\All Users\Application Data\Siteadvisor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Uniblue
C:\Documents and Settings\All Users\Application Data\Viewpoint -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windowsliveinstaller
C:\Documents and Settings\All Users\Application Data\Winzip
C:\Documents and Settings\All Users\Application Data\Winzipse
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Dad\Application Data\Identities
C:\Documents and Settings\Dad\Application Data\Macromedia
C:\Documents and Settings\Dad\Application Data\Microsoft
C:\Documents and Settings\Dad\Application Data\Siteadvisor
C:\Documents and Settings\Dad\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Jeff Crooks\Application Data\Acccore
C:\Documents and Settings\Jeff Crooks\Application Data\Adobe
C:\Documents and Settings\Jeff Crooks\Application Data\Aim
C:\Documents and Settings\Jeff Crooks\Application Data\Apple Computer
C:\Documents and Settings\Jeff Crooks\Application Data\Avg7
C:\Documents and Settings\Jeff Crooks\Application Data\Big Fish Games
C:\Documents and Settings\Jeff Crooks\Application Data\Comodo
C:\Documents and Settings\Jeff Crooks\Application Data\Donationcoder
C:\Documents and Settings\Jeff Crooks\Application Data\Filezilla
C:\Documents and Settings\Jeff Crooks\Application Data\Gtk-2.0
C:\Documents and Settings\Jeff Crooks\Application Data\Identities
C:\Documents and Settings\Jeff Crooks\Application Data\Intervideo
C:\Documents and Settings\Jeff Crooks\Application Data\Macromedia
C:\Documents and Settings\Jeff Crooks\Application Data\Microsoft
C:\Documents and Settings\Jeff Crooks\Application Data\Mozilla
C:\Documents and Settings\Jeff Crooks\Application Data\Openoffice.org2
C:\Documents and Settings\Jeff Crooks\Application Data\Pc Tools
C:\Documents and Settings\Jeff Crooks\Application Data\Sierra
C:\Documents and Settings\Jeff Crooks\Application Data\Siteadvisor
C:\Documents and Settings\Jeff Crooks\Application Data\Sun
C:\Documents and Settings\Jeff Crooks\Application Data\Talkback
C:\Documents and Settings\Jeff Crooks\Application Data\Thunderbird
C:\Documents and Settings\Jeff Crooks\Application Data\Uniblue
C:\Documents and Settings\Jeff Crooks\Application Data\Weather Pulse
C:\Documents and Settings\Jeff Crooks\Application Data\Yahoo!
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Siteadvisor -- EMPTY Directory
C:\Documents and Settings\Networkservice\Application Data\Microsoft

Here is the VundoFix Log


VundoFix V6.7.0

Checking Java version...

Scan started at 6:51:22 PM 12/6/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 9:06:52 PM 12/6/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 7:25:35 AM 12/7/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.0

Checking Java version...

Scan started at 10:52:08 PM 12/7/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 11:01:29 PM 12/7/2007

Listing files found while scanning....


Beginning removal...

VundoFix V6.7.0

Checking Java version...

Scan started at 11:05:48 PM 12/7/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 11:07:47 PM 12/7/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 11:10:20 PM 12/7/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 11:15:27 PM 12/7/2007

Listing files found while scanning....

C:\windows\system32\fsnrlmkl.exe
C:\windows\system32\ihkmp.ini
C:\windows\system32\ihkmp.ini2
C:\windows\system32\pmkhi.dll
C:\windows\system32\qcscawqn.exe
C:\windows\system32\qemcrcbp.exe

Beginning removal...

Attempting to delete C:\windows\system32\fsnrlmkl.exe
C:\windows\system32\fsnrlmkl.exe Has been deleted!

Attempting to delete C:\windows\system32\ihkmp.ini
C:\windows\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\ihkmp.ini2
C:\windows\system32\ihkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\pmkhi.dll
C:\windows\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\windows\system32\qcscawqn.exe
C:\windows\system32\qcscawqn.exe Has been deleted!

Attempting to delete C:\windows\system32\qemcrcbp.exe
C:\windows\system32\qemcrcbp.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 8:52:05 AM 12/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.0

Checking Java version...

Scan started at 9:48:58 AM 12/8/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 10:36:20 AM 12/8/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.7

Checking Java version...

Scan started at 5:52:30 PM 12/30/2007

Listing files found while scanning....

No infected files were found.

Hey. The file says i had none at this scan..but I had the Virtumonde before..I have uninstalled the messenger but HJT says that the installer is still left and i cannot find it in the add or remove programs

#6 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 31 December 2007 - 02:20 AM

Oh No! AVG just picked up another trojan! and it seems to be attacking my system restore files...is ther a way to stop this from getting to system restore? a way to delete all points?I have not been downloading anything either...

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 31 December 2007 - 06:28 AM

Hey Booman,

Here is the Uninstall Log

You accidentally posted the HJT log twice. Please post the Uninstall list with your next reply.

Hey. The file says i had none at this scan..but I had the Virtumonde before..I have uninstalled the messenger but HJT says that the installer is still left and i cannot find it in the add or remove programs

VundoFix did find files and removed them, so thats fine.

Oh No! AVG just picked up another trojan! and it seems to be attacking my system restore files...is ther a way to stop this from getting to system restore? a way to delete all points?I have not been downloading anything either...

System Restore Points will be taken care of later, so its ok for now.

Step #1

Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Now please delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\Documents and Settings\All Users\Application Data\Viewpoint <-- this folder
C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf <-- this folder


Step #2
  • Now please navigate to: Start >> Run...
  • Type: Combofix /u and hit Enter
  • This will delete:
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Also resets System Restore, re-hides system & hidden files, resets system clock and last but not least, hides the file extensions of known filetypes
Step #3

Please run the F-Secure Online Scanner
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Please post back with the Uninstall list, a fresh HijackThis log, and the log from the F-secure Onlinescan. Thanks.

Edited by Yourhighness, 31 December 2007 - 07:42 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 31 December 2007 - 07:43 AM

Please note that I seem to have forgotten to include the following folder for deletion:

C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf

I have edited my above post to include it.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 31 December 2007 - 12:18 PM

Well...that Step Number 2...there is an issue...it keeps telling me that no such thing exists when I type it in..i have completed step number one..and the scanner failed...i had an error...i keep getting these Trojans...they are attacking my system restore...is there a way to clean it other than step number 2?

Edited by Booman, 31 December 2007 - 03:39 PM.


#10 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 31 December 2007 - 08:20 PM

Here is the REAL Uninstall log Sorry

ABBYY FineReader 6.0 Sprint
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
AIM 6
ALPS Touch Pad Driver
ANNO 1602
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AVG 7.5
Broadcom 802.11 Wireless LAN Adapter
CA Yahoo! Anti-Spy (remove only)
Colorizer 1.0.0.1
Conexant AC-Link Audio
Convert
Data Fax SoftModem with SmartCP
DcUpdater 1.23.01
Empire Earth II
Empire Earth II: The Art of Supremacy
Free Video to Mp3 Converter version 2.8
Free YouTube to iPod Converter version 2.8
GIMP 2.4.2
Google Earth
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
HP Help and Support
HP Wireless Assistant 2.00 C1
HyperCam 2
InterVideo DVD Check
InterVideo WinDVD
iPlayer Mass Storage Driver V3.1
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
Labtec Legacy USB Camera Driver Package
Lexmark 2300 Series
Lexmark Fax Solutions
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Video Enumerator
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Pandora's Box
Microsoft Silverlight
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.11)
Mozilla Sunbird (0.7)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MVision
NetWaiting
OpenOffice.org 2.3
Panda ActiveScan
PDF Settings
Quick Launch Buttons 5.10 B5
QuickTime
Registry Mechanic 7.0
Screenshot Captor 2.37.03
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Spelling Dictionaries Support For Adobe Reader 8
Spyware Doctor 5.1
Sygate Personal Firewall
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Texas Instruments PCIxx21/x515/xx12 drivers.
Trend Micro TrendProtect for Internet Explorer
Tweak UI
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Uniblue SpyEraser
Uninstall 1.0.0.0
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB942763)
Weather Pulse 2.05 build 36
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip 11.1
Yahoo! Messenger
Yahoo! Toolbar

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 01 January 2008 - 08:29 AM

Hey Booman,

and the scanner failed...i had an error

Can you tell me what error that was?

That ComboFix is not found, is ok. Regarding the Trojans in the System Volume Information, yes there is another way and we will do that once you clean and good to go (to avoid getting an infected System Restore again).

The following is referring to Registry Mechanic 7.0 and Uniblue RegistryBooster 2.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Step #1

You have the latest version of Java installed, but also its previous version. Leaving old versions of Java on the machine may leave you open to malware using security gabs fixed in your current version. Therefore:

Please click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Java™ 6 Update 2

Step #2

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
  • If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

If you are having problems running the F-Secure Onlinescan, please try to run their Beta Version
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #5

Please post back with the F-Secure Log and the main.txt and the extra.txt from DSS. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 01 January 2008 - 12:30 PM

Here is the Main Log

Deckard's System Scanner v20071014.68
Run by Jeff Crooks on 2008-01-01 12:37:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Jeff Crooks.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:00 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Jeff Crooks\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEFFCR~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Launcher.exe] C:\Program Files\ABF software\ABF Magnifying Tools\Launcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - Trusted Zone: *.issist.ca
O15 - Trusted Zone: *.issist.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7945 bytes

-- Files created between 2007-12-01 and 2008-01-01 -----------------------------

2008-01-01 12:15:58 0 d------c- C:\fsaua.data
2008-01-01 12:01:25 0 d-------- C:\Program Files\Spyware Doctor
2008-01-01 12:01:25 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\PC Tools
2008-01-01 11:58:34 0 dr-h----- C:\Documents and Settings\Jeff Crooks\Recent
2008-01-01 02:26:11 24576 --a------ C:\WINDOWS\system32\winzoa32.dll
2008-01-01 02:14:38 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-01 01:52:44 0 d-------- C:\Program Files\Weather Radar Toolkit
2007-12-31 21:22:45 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-12-31 21:22:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2007-12-31 19:48:44 0 d-------- C:\WINDOWS\BDOSCAN8
2007-12-31 18:39:57 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 2
2007-12-31 17:12:53 0 d-------- C:\Program Files\ABF software
2007-12-31 14:47:10 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Google
2007-12-31 14:14:05 0 d-------- C:\Program Files\Google
2007-12-31 00:44:57 0 d-------- C:\Documents and Settings\Jeff Crooks\.housecall6.6
2007-12-31 00:42:12 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\SiteAdvisor
2007-12-30 18:33:52 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-30 17:52:30 0 d------c- C:\VundoFix Backups
2007-12-30 17:45:36 424 --a----c- C:\delete.bat
2007-12-29 20:45:22 0 d-------- C:\WINDOWS\vbSkinner
2007-12-28 20:08:35 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2007-12-28 20:06:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 20:05:23 0 d-------- C:\WINDOWS\cache
2007-12-28 13:42:25 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Comodo
2007-12-28 13:42:15 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-28 13:41:45 0 d-------- C:\Program Files\COMODO
2007-12-28 12:53:10 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\AVG7
2007-12-28 12:51:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 18:47:42 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\gtk-2.0
2007-12-24 18:47:37 0 d-------- C:\Documents and Settings\Jeff Crooks\.thumbnails
2007-12-23 20:49:39 0 d-------- C:\Documents and Settings\Jeff Crooks\.gimp-2.4
2007-12-23 20:47:31 0 d-------- C:\Program Files\GIMP-2.0
2007-12-16 22:19:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-12-16 22:19:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-16 22:19:21 0 d-------- C:\Program Files\Logitech
2007-12-16 18:18:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-16 18:17:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2007-12-16 18:17:16 0 d-------- C:\Program Files\DVDVideoSoft
2007-12-15 18:00:04 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-12-15 17:58:13 32768 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2007-12-15 17:58:13 20480 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2007-12-15 17:57:52 12288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL <Not Verified; Lexmark International, Inc.; Lexmark Fax Solutions Software Print Monitor>
2007-12-15 17:57:51 98345 --a------ C:\WINDOWS\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2007-12-15 17:57:50 339968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2007-12-15 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-12-15 17:56:38 0 d-------- C:\Program Files\Lexmark Fax Solutions
2007-12-15 17:55:08 0 d-------- C:\Program Files\Lx_cats
2007-12-15 17:51:37 0 d-------- C:\Program Files\Lexmark 2300 Series
2007-12-15 17:50:06 0 d------c- C:\Temp
2007-12-13 17:46:09 74240 --a------ C:\WINDOWS\system32\cryptainersrv.exe <Not Verified; Cypherix Software (India) Pvt. Ltd.; Cryptainer>
2007-12-13 08:38:22 653 --a----c- C:\register.bat
2007-12-12 07:18:41 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-12-08 10:32:58 0 d-------- C:\WINDOWS\Prefetch
2007-12-07 22:06:31 0 d-------- C:\Program Files\Online Services
2007-12-07 16:08:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-07 15:59:18 0 d-------- C:\Program Files\Trend Micro
2007-12-07 15:51:03 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-07 15:51:03 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-12-07 15:51:03 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-07 15:51:03 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-12-07 15:51:03 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-07 15:51:03 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-07 15:51:03 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-07 15:51:03 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-07 15:51:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-07 15:51:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-07 15:51:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-07 15:51:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-12-07 15:51:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-07 15:51:01 507904 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-06 19:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 22:16:07 0 d-------- C:\Program Files\Windows Journal Viewer
2007-12-02 12:07:33 0 d-------- C:\Program Files\Common Files\Scanner
2007-12-01 05:32:53 70112 ---hs---- C:\WINDOWS\system32\vycdd.bak2


-- Find3M Report ---------------------------------------------------------------

2008-01-01 11:57:05 0 d-------- C:\Program Files\Java
2008-01-01 02:33:26 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-31 02:14:31 0 d-------- C:\Program Files\ScreenshotCaptor
2007-12-30 18:33:52 0 d-------- C:\Program Files\Common Files
2007-12-29 20:57:04 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\OpenOffice.org2
2007-12-29 16:09:38 0 d-------- C:\Program Files\HyCam2
2007-12-28 23:00:05 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-28 20:06:37 0 d-------- C:\Program Files\Yahoo!
2007-12-25 15:13:18 16 --a------ C:\WINDOWS\popcinfo.dat
2007-12-25 10:26:12 0 d-------- C:\Program Files\QuickTime
2007-12-23 15:25:22 0 d-------- C:\Program Files\Weather Pulse
2007-12-18 18:30:51 0 d-------- C:\Program Files\Mozilla Sunbird
2007-12-16 22:21:18 0 d-------- C:\Program Files\Common Files\LogiShrd
2007-12-16 22:18:44 0 d-------- C:\Program Files\Labtec
2007-12-16 21:58:29 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Adobe
2007-12-16 20:48:00 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Apple Computer
2007-12-14 16:40:23 0 d-------- C:\Program Files\DcUpdater
2007-12-12 23:08:01 58 --a------ C:\WINDOWS\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2007-12-12 22:32:53 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Weather Pulse
2007-12-12 17:53:01 0 d-------- C:\Program Files\SpeedFan
2007-12-08 16:27:01 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Yahoo!
2007-12-07 22:05:38 0 d-------- C:\Program Files\Movie Maker
2007-12-07 22:04:56 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-06 17:40:53 0 d-------- C:\Program Files\OpenOffice.org 2.3
2007-12-05 22:13:42 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\FileZilla
2007-12-03 17:13:06 0 d-------- C:\Program Files\FileZilla Client
2007-12-01 09:00:05 0 d-------- C:\Program Files\Microsoft Silverlight
2007-11-30 20:42:26 0 d-------- C:\Program Files\Bonjour
2007-11-30 20:42:14 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-30 19:48:05 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-30 17:30:51 6587 --ahs---- C:\WINDOWS\system32\vycdd.bak1
2007-11-27 19:32:32 46 --a------ C:\WINDOWS\system32\DonationCoder_DrWindows_InstallInfo.dat
2007-11-21 13:32:23 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Sierra
2007-11-21 13:31:47 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-11-21 13:22:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-21 12:57:14 0 d-------- C:\Program Files\Sierra
2007-11-17 08:42:01 0 d-------- C:\Program Files\InterActual
2007-11-11 23:01:46 0 d-------- C:\Program Files\AIM6
2007-11-11 22:57:56 0 d-------- C:\Program Files\Common Files\AOL
2007-11-09 17:35:09 0 d-------- C:\Program Files\iTunes
2007-11-09 17:34:53 0 d-------- C:\Program Files\iPod
2007-11-08 16:37:38 0 d-------- C:\Documents and Settings\Jeff Crooks\Application Data\Mozilla
2007-11-07 17:16:36 0 d-------- C:\Program Files\Audacity
2007-11-04 10:04:26 0 d-------- C:\Program Files\JoshMadison
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-23 19:24:14 46 --a------ C:\WINDOWS\system32\DonationCoder_processtamer_InstallInfo.dat
2007-10-23 18:57:17 3312128 --a------ C:\WINDOWS\system32\logonuiX.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-18 22:45:48 46 --a------ C:\WINDOWS\system32\DonationCoder_dcupdater_InstallInfo.dat
2007-10-11 09:55:10 88576 --a------ C:\WINDOWS\system32\infocardapi.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2007-10-09 12:58:20 16896 --a------ C:\WINDOWS\system32\tswpfwrp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-07 17:39:15 4096 --a------ C:\WINDOWS\d3dx.dat
2007-10-05 17:18:50 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-10-02 17:18:57 335 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 07:00 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/15/2007 01:27 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [07/13/2005 11:05 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [02/08/2005 06:38 PM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 02:12 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 06:45 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 01:29 AM]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [07/20/2005 12:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/28/2007 12:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM]
"Launcher.exe"="C:\Program Files\ABF software\ABF Magnifying Tools\Launcher.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 03:11 AM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [10/02/2007 04:27 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzoa32]
winzoa32.dll 01/01/2008 02:26 AM 24576 C:\WINDOWS\system32\winzoa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeff Crooks^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeff Crooks^Start Menu^Programs^Startup^Caledos Wallpaper (startup).lnk]
backup=C:\WINDOWS\pss\Caledos Wallpaper (startup).lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\58889bd7]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 2300 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
"C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SiteAdvisor Service"=2 (0x2)
"Messenger"=2 (0x2)
"lxcg_device"=3 (0x3)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE



-- End of Deckard's System Scanner: finished at 2008-01-01 12:41:10 ------------


Here is the f secure error i got AGAIN http://i229.photobucket.com/albums/ee189/d...secureerror.jpg

for some reason the extra one did not show up

Edited by Booman, 01 January 2008 - 12:42 PM.


#13 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 01 January 2008 - 10:18 PM

OH NO! i just got avast and guess what it found?

WIN32:CTX

no wonder! please help me..im going back to my other antivirus zonealarm internet security suite pro which i bought

AVAST DID NOT GET RID OF IT...AVG NEVER PICKED IT UP...

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:08:38 AM

Posted 02 January 2008 - 01:24 PM

Hey Booman,

Can you please have a look if the extra.txt file created by DSS is present in the C:\Deckard\System Scanner folder? I really want that log.
If you cannot find the log, then please do the following:
1. Close all programs and/or windows so that you have nothing open and are at your Desktop.
2. Click on Start, then click on Run.
3. In the Open: field copy and paste the entire contents inside the CODE box below and press the OK button.

"%userprofile%\Desktop\dss.exe" /config

This will open up DSS configuration.
4. Click on Check All.
5. Click Scan.
DSS will now run again.
6. When finished, please post back both logs that open in Notepad: main.txt and extra.txt.

Once you posted the logs, we will go ahead. Thanks.

Edited by Yourhighness, 02 January 2008 - 01:26 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 02 January 2008 - 03:53 PM

here is the extra log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 382.48 MiB / 71.24 MiB
Pagefile Memory (total/avail): 919.82 MiB / 207.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.57 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 42.01 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: COMODO Firewall Pro v3.0 (COMODO)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Smart PC Solutions\\1-2-3 Spyware Free\\SpywareFree.exe"="C:\\Program Files\\Smart PC Solutions\\1-2-3 Spyware Free\\SpywareFree.exe:*:Enabled:Protecting from spyware and adware can be easy and effective!"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jeff Crooks\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JEFFSLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jeff Crooks
LOGONSERVER=\\JEFFSLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JEFFCR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JEFFCR~1\LOCALS~1\Temp
USERDOMAIN=JEFFSLAPTOP
USERNAME=Jeff Crooks
USERPROFILE=C:\Documents and Settings\Jeff Crooks
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jeff Crooks (admin)
Dad (new local, admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Setup --> MsiExec.exe /I{2274624C-5B38-41AD-AD27-CEC0924EB628}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe Stock Photos CS3 --> C:\Program Files\Common Files\Adobe\Installers\cbb2ea61da9c780bd7e47a5230a9ed7\Setup.exe
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
ANNO 1602 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C781ED5-4C2A-4495-875B-85CC9266F1F0}\Setup.exe"
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Broadcom 802.11 Wireless LAN Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
CA Yahoo! Anti-Spy (remove only) --> "C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Convert --> MsiExec.exe /X{23970E31-948B-466E-8376-1224D32FDF0C}
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C\HXFSETUP.EXE -U -IVEN_1002&DEV_4378&SUBSYS_3091103C
DcUpdater 1.23.01 --> "C:\Program Files\DcUpdater\unins000.exe"
Empire Earth II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF315348-721C-40B8-BAE2-58C6C7D935A2}\setup.exe" -l0x9 -removeonly
Empire Earth II: The Art of Supremacy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F596C356-BF35-4ED7-981C-CC791461A8F0}\setup.exe" -l0x9 -removeonly
FileZilla Client 3.0.4.1 --> C:\Program Files\FileZilla Client\uninstall.exe
Free Video to Mp3 Converter version 2.8 --> "C:\Program Files\DVDVideoSoft\Free Video to Mp3 Converter\unins000.exe"
Free YouTube to iPod Converter version 2.8 --> "C:\Program Files\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"
GIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\Setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\Setup.exe" -l0x9 hpquninst
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
InterVideo DVD Check --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Labtec Legacy USB Camera Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\10.51.1130\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"legacyqcam_10.51" /clone_wait /hide_progress
Lexmark 2300 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcgUNST.EXE -NOLICENSE
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Logitech QuickCam Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Sunbird (0.7) --> C:\Program Files\Mozilla Sunbird\uninstall\uninst.exe
Mozilla Thunderbird (2.0.0.9) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Quick Launch Buttons 5.10 B5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\Setup.exe" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Screenshot Captor 2.37.03 --> "E:\ScreenshotCaptor\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FF6F491D-BC82-4DCC-A72F-1824957C6466} /l1033
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}\setup.exe -runfromtemp -l0x0409
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Uniblue SpeedUpMyPC 3 --> "C:\Program Files\Uniblue\SpeedUpMyPC 3\unins000.exe"
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
Uninstall 1.0.0.0 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Weather Pulse 2.05 build 36 --> "E:\Weather Pulse\unins000.exe"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type89 / Warning
Event Submitted/Written: 01/01/2008 00:01:03 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

Event Record #/Type88 / Warning
Event Submitted/Written: 01/01/2008 00:01:03 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type87 / Warning
Event Submitted/Written: 01/01/2008 00:01:03 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

Event Record #/Type86 / Warning
Event Submitted/Written: 01/01/2008 00:01:03 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type84 / Warning
Event Submitted/Written: 01/01/2008 00:00:45 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6751 / Error
Event Submitted/Written: 01/01/2008 11:57:20 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type6748 / Error
Event Submitted/Written: 01/01/2008 11:57:20 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type6745 / Error
Event Submitted/Written: 01/01/2008 11:57:19 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type6742 / Error
Event Submitted/Written: 01/01/2008 11:57:19 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type6739 / Error
Event Submitted/Written: 01/01/2008 11:57:19 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-01-01 12:28:25 ------------

what are we going to do about this WIN32:CTX worm?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users