Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It Seems To Be The Same As Everyone Else


  • This topic is locked This topic is locked
21 replies to this topic

#1 award001

award001

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 28 January 2008 - 01:43 AM

I have been reading the forums and my problem seems to be like everyone else's. I get pop ups from "web buying" and all sorts of other sites. Some even trying to get you to buy anti-virus software. I have tried several of the methods given out but I still can't get rid of the pop ups. Please Help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:49 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PT_CancelPopups.clsPopups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT_FilterLinks.clsBypass - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra 'Tools' menuitem: View All Pics - {011D31E2-52A7-4703-8923-585EE67C112B} - C:\Program Files\Picture Tools\Ext_ViewAllPics.exe
O9 - Extra button: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra 'Tools' menuitem: Download Pics - {0229FA56-9A3D-4018-9017-1918F8EC2C93} - C:\Program Files\Picture Tools\Ext_DownloadPics.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {49C4ECB2-9676-4253-8E76-F333EE7E5513} (QDiagDAUUpdateObj Class) - http://autoupdate.dellfix.com/html/qdiagdau.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201369010078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553340000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 10545 bytes

BC AdBot (Login to Remove)

 


#2 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 01 February 2008 - 02:23 PM

I don't know what the time should be before I post again, but here is an updated log if someone can please help. It is so bad I have had 2 pop-ups while I was typing this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:17 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PT_CancelPopups.clsPopups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT_FilterLinks.clsBypass - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1007\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {49C4ECB2-9676-4253-8E76-F333EE7E5513} (QDiagDAUUpdateObj Class) - http://autoupdate.dellfix.com/html/qdiagdau.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201369010078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553340000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9915 bytes

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 08 February 2008 - 01:58 AM

Hi award001,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 08 February 2008 - 11:45 AM

Here are the updated logs as you requested, thank you so much for your help. I will love the day I no longer get all these pop-ups.

Deckard's System Scanner v20071014.68
Run by Aaron on 2008-02-08 11:38:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:29 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\explorer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\Aaron\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aaron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PT_CancelPopups.clsPopups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT_FilterLinks.clsBypass - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {49C4ECB2-9676-4253-8E76-F333EE7E5513} (QDiagDAUUpdateObj Class) - http://autoupdate.dellfix.com/html/qdiagdau.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201369010078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553340000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9439 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080126-105437-223 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
backup-20080126-111123-506 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vysmryja.exe (file missing)
backup-20080126-114409-546 O2 - BHO: (no name) - {56ADD593-E7D2-4585-93D8-4DE49EB44133} - C:\WINDOWS\system32\jkhhh.dll (file missing)
backup-20080126-114453-982 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080126-114511-301 O2 - BHO: (no name) - {ad2f8dd1-6af1-47b8-ab75-4ce27c7c00ab} - C:\WINDOWS\system32\dupsrcj.dll
backup-20080126-114511-487 O2 - BHO: (no name) - {78375E69-D8D3-4D1E-A924-81B5A7B0D56F} - C:\Program Files\MSN\wofelep4444.dll (file missing)
backup-20080126-114512-268 O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
backup-20080126-114702-184 O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
backup-20080126-114702-253 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20080126-114702-385 O2 - BHO: (no name) - {2160D11E-46CD-463F-9187-2EDA2575AAED} - C:\Program Files\MSN\wofelep83122.dll (file missing)
backup-20080126-114702-584 O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
backup-20080126-114702-863 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
backup-20080126-114702-939 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080126-114708-252 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080126-114708-833 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080126-114848-901 O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
backup-20080126-121200-783 O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro .exe -rem

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 catchme - c:\docume~1\aaron\locals~1\temp\catchme.sys (file missing)
3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
3 dump_wmimmc - e:\aaron's stuff\nexon\maplestory\gameguard\dump_wmimmc.sys (file missing)
2 GRTdiMon (GR TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Global RISC; NSX>
2 npkcrypt - e:\aaron's stuff\nexon\maplestory\npkcrypt.sys (file missing)
3 TnIDriver - c:\docume~1\aaron\locals~1\temp\tni5f.tmp (file missing)
1 USBINTELL - c:\windows\system32\drivers\usbintell.sys
3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 a2AntiMalware (a-squared Anti-Malware Service) - c:\program files\a-squared anti-malware\a2service.exe
2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
2 CurtainsSysSvc (Curtains for Windows System Service) - c:\program files\cox\applications\app\curtainssyssvcnt.exe <Not Verified; Authentium, Inc.; Curtains for Windows>
3 DSBrokerService - c:\program files\dellsupport\brkrsvc.exe
3 gusvc (Google Updater Service) - c:\program files\google\common\google updater\googleupdaterservice.exe (file missing)
3 nmraapache (Pure Networks Net2Go Service) - c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe
2 nmservice (Pure Networks Network Magic Service) - c:\program files\pure networks\network magic\nmsrvc.exe
2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-08 10:30:13 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-08 10:27:06 260 --a------ C:\WINDOWS\Tasks\CLEANMGR.job
2008-02-08 09:52:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-08 10:40:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:34:32 0 d-------- C:\Documents and Settings\Sammi\Application Data\Yahoo!
2008-02-07 13:00:50 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-07 11:57:07 0 d-------- C:\Program Files\Common Files\Corel
2008-02-05 09:29:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 12:16:36 0 dr-h----- C:\Documents and Settings\Aaron\Recent
2008-01-31 13:21:27 0 d-------- C:\Program Files\Sun
2008-01-28 01:00:30 1942 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-27 17:01:10 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-26 10:49:05 0 d-------- C:\Program Files\Trend Micro
2008-01-26 00:10:16 0 d-------- C:\Program Files\CCleaner
2008-01-25 16:11:03 0 d-------- C:\WINDOWS\ERUNT
2008-01-25 00:17:31 0 d-------- C:\Program Files\Windows Defender
2008-01-24 13:09:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-01-24 10:17:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:22:56 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-01-23 15:41:09 155648 --a------ C:\WINDOWS\system32\NeroCheck .exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-01-23 14:02:11 0 d-------- C:\Program Files\Alwil Software
2008-01-23 13:35:19 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sammsoft
2008-01-22 23:11:15 0 d--h----- C:\WINDOWS\PIF
2008-01-22 22:51:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-01-22 22:51:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-22 22:51:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-22 22:51:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-22 22:51:33 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-22 17:07:59 364594 --ahs---- C:\WINDOWS\system32\hhhkj.ini2
2008-01-22 14:47:11 0 d-------- C:\Documents and Settings\Aaron\Incomplete
2008-01-22 13:30:47 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-22 13:27:37 86016 --a------ C:\WINDOWS\system32\drivers\USBINTELL.sys
2008-01-22 13:27:29 0 d-------- C:\WINDOWS\system32\winzs6
2008-01-22 13:27:29 0 d-------- C:\WINDOWS\system32\extz1
2008-01-22 13:27:28 0 d-------- C:\WINDOWS\system32\nui4
2008-01-22 13:27:28 0 d-------- C:\WINDOWS\system32\comm7
2008-01-22 13:27:25 0 d-------- C:\WINDOWS\system32\nGpxx18
2008-01-21 12:29:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-02-08 10:40:24 0 d-------- C:\Program Files\Common Files
2008-02-07 13:00:51 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-07 12:59:42 0 dr-h----- C:\Documents and Settings\Aaron\Application Data\yahoo!
2008-02-07 12:08:41 0 d-------- C:\Documents and Settings\Aaron\Application Data\Corel
2008-02-07 12:06:55 2568 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-07 11:57:07 0 d-------- C:\Program Files\Corel
2008-02-01 13:49:49 0 d-------- C:\Program Files\ItsDeductible2005
2008-02-01 13:44:43 0 d-------- C:\Program Files\TurboTax
2008-02-01 13:44:15 0 d-------- C:\Program Files\Common Files\Intuit
2008-01-31 13:21:08 0 d-------- C:\Program Files\Java
2008-01-28 11:09:00 0 d-------- C:\Program Files\Fisher-Price
2008-01-28 11:08:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-25 21:02:22 0 d-------- C:\Program Files\Common Files\PestPatrol
2008-01-24 13:12:09 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-01-24 12:00:51 0 d-------- C:\Program Files\MSECACHE
2008-01-23 18:27:09 0 d-------- C:\Program Files\QuickTime
2008-01-23 18:21:44 0 d-------- C:\Program Files\DellSupport
2008-01-23 17:53:03 0 d-------- C:\Program Files\iTunes
2008-01-23 17:53:00 0 d-------- C:\Program Files\ESPNRunTime
2008-01-23 17:52:56 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-01-23 17:52:36 0 d-------- C:\Program Files\Browser MOUSE
2008-01-22 14:45:53 0 d-------- C:\Documents and Settings\Aaron\Application Data\LimeWire
2007-12-28 10:15:20 0 d-------- C:\Program Files\iPod
2007-12-25 23:33:40 0 d-------- C:\Program Files\Pure Networks
2007-12-24 18:50:59 0 d-------- C:\Program Files\DIFX
2007-12-18 15:52:42 0 d-------- C:\Documents and Settings\Aaron\Application Data\CherryHill
2007-12-15 01:53:52 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [01/07/2008 05:56 PM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [03/14/2007 03:42 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [8/10/2004 2:04:12 PM]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [9/4/2005 11:04:51 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhh




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7904 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-08 11:41:22 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 72%
Physical Memory (total/avail): 253.98 MiB / 70.23 MiB
Pagefile Memory (total/avail): 623.72 MiB / 264.72 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.82 MiB

C: is Fixed (NTFS) - 33.7 GiB total, 19.14 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 149.05 GiB total, 135.86 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aaron\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DGH5M561
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aaron
LOGONSERVER=\\DGH5M561
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
USERDOMAIN=DGH5M561
UserInitLogonScript=
UserInitLogonServer=DGH5M561
UserInitOptimizedLogon=0
USERNAME=Aaron
USERPROFILE=C:\Documents and Settings\Aaron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Aaron (admin)
Sammi (admin)
Alaina
Liam
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.1 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Action Replay Code Manager --> "E:\Liam's Stuff\Action Replay Code Manager\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
Auto Update --> C:\Documents and Settings\All Users\Application Data\GTek\QDiagDAU\GTQDUnin.exe /uninstall
Banctec Service Agreement --> MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Browser Mouse --> C:\Program Files\Browser Mouse\uninst00.exe
CA Yahoo! Anti-Spy (remove only) --> "C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Corel Paint Shop Pro Photo XI --> MsiExec.exe /X{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}
Cox (CVUS) --> MsiExec.exe /I{5BD7238A-6B67-41FE-AC97-E59A71838F4D}
Cox High Speed Internet Security Suite --> "C:\Program Files\Cox\Applications\app\repair.exe" -remove
Cox Online Support Controls --> "C:\Program Files\SupportSoft\unins000.exe"
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Dell AIO Printer A920 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ESP --> MsiExec.exe /I{F61BC717-3F50-457D-86AC-DA5D537D1850}
ESPN RunTime --> C:\Program Files\ESPNRunTime\DIGSvcUninstall.exe /brand=ESPN
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Image Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}\Setup.exe" UNINSTALL
ImageMixer for Sony --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe"
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
LG GSM PC Components --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB8251EE-C86B-410D-83B2-1E28E9DE2C2B}\Setup.exe" -l0x9
LG USB Modem Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Aaron\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Aaron\Application Data\Move Networks\ie_bin\unins000.exe"
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
MuVo Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9 /remove
Nero --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Network Magic --> MsiExec.exe /X{D5773BFA-5967-4A1C-AD0F-FFFD0D13FC36}
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\common\unynss.exe
Picture Tools v3.03 --> MsiExec.exe /X{E025271C-EB41-4587-9864-1239DF5682AE}
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Web Photo Album 0.9 Beta --> "C:\Program Files\Web Photo Album\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (03/23/2007 4.1.7082.0) --> rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pnarp_5F686DCD97D2EA9F74BD89FAA7E73B89CD47B120\pnarp.inf
Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (03/23/2007 4.1.7082.0) --> rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\purendis_9DF8D460DEEF667AF7B1AA85404140673EC025C2\purendis.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Photos Easy Upload Tool --> C:\Program Files\Yahoo!\Common\ydropper_uninst.exe /ylog=C:\PROGRA~1\Yahoo!\Photos\Uploader\install.log
Yahoo! Photos Print-at-Home Tool --> C:\WINDOWS\unins000.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4816 / Warning
Event Submitted/Written: 02/08/2008 07:55:41 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4815 / Warning
Event Submitted/Written: 02/08/2008 06:45:01 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}. CoGetObject returned HRESULT 8000401A.

Event Record #/Type4811 / Error
Event Submitted/Written: 02/07/2008 07:59:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16574, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type4806 / Error
Event Submitted/Written: 02/07/2008 10:29:45 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 295863528.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type4805 / Error
Event Submitted/Written: 02/07/2008 10:28:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application acrord32.exe, version 7.0.8.218, faulting module unknown, version 0.0.0.0, fault address 0x24002bcb.
Processing media-specific event for [acrord32.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18709 / Error
Event Submitted/Written: 02/08/2008 10:27:23 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type18688 / Error
Event Submitted/Written: 02/08/2008 06:39:57 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type18666 / Error
Event Submitted/Written: 02/07/2008 05:25:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type18665 / Error
Event Submitted/Written: 02/07/2008 05:24:25 PM / 02/07/2008 05:24:55 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'core.cache.dsk' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type18661 / Error
Event Submitted/Written: 02/07/2008 03:21:24 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-02-08 11:41:22 ------------

#5 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 08 February 2008 - 09:46 PM

Hi award001,

Turn on System Restore and make a new Restore Point:
Right-click My Computer (on the Desktop or Start Menu) and select Properties
Choose the System Restore tab
Make sure Turn off System Restore is UN-checked and press OK
Then click Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like Before fix then press the Create button and once it's done press Close

Temporarily disable Windows Defender:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, uncheck Use real-time protection and press Save
  • Close Windows Defender
------------------------------------------------------------------------

You have Neopets Toolbar installed. I recommend you remove this because it can cause browser redirects to advertising sites, see here for more information. To remove it, please select Start->All Programs, look for the Neopets Toolbar folder, and if there is an uninstaller link then please select it to uninstall the program. If the folder or uninstaller link is not present, don't worry we can use HijackThis to manually remove it.

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

F2 - REG:system.ini: Shell=
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

If you chose to remove Neopets Toolbar, then also select these lines:

O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll

Restrictions have been placed on Internet Explorer control panel options, probably for security reasons by Spybot S&D. If however you wish to remove these restrictions then please check these lines also:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
NOTE: I have attached this file as runme.txt to this post so you can download it if you prefer.
@echo off
sc stop TnIDriver
sc delete TnIDriver
sc stop USBINTELL
sc delete USBINTELL
echo REGEDIT4 > temp.reg
echo.>> temp.reg
echo [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] >> temp.reg
echo "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 >> temp.reg
echo.>> temp.reg
regedit /s temp.reg
del temp.reg
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt Standard List:
    C:\WINDOWS\system32\drivers\USBINTELL.sys
    C:\WINDOWS\system32\winzs6
    C:\WINDOWS\system32\extz1
    C:\WINDOWS\system32\nui4
    C:\WINDOWS\system32\comm7
    C:\WINDOWS\system32\nGpxx18
    c:\docume~1\aaron\locals~1\temp\tni5f.tmp
    C:\WINDOWS\system32\hhhkj.ini2
    C:\WINDOWS\system32\jkhhh.dll
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, click the Check All button, then un-check everything in the Extra Log section and press Scan!
------------------------------------------------------------------------

Once complete, please post the OTMoveIt report and the new DSS main.txt

Attached Files


Edited by silver, 08 February 2008 - 10:16 PM.

Teacher at Malware Removal University | ASAP & UNITE Member

#6 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 09 February 2008 - 01:37 PM

OT Moveit log file.

File move failed. C:\WINDOWS\system32\drivers\USBINTELL.sys scheduled to be moved on reboot.
C:\WINDOWS\system32\winzs6 moved successfully.
C:\WINDOWS\system32\extz1 moved successfully.
C:\WINDOWS\system32\nui4 moved successfully.
C:\WINDOWS\system32\comm7 moved successfully.
C:\WINDOWS\system32\nGpxx18 moved successfully.
File/Folder c:\docume~1\aaron\locals~1\temp\tni5f.tmp not found.
C:\WINDOWS\system32\hhhkj.ini2 moved successfully.
File/Folder C:\WINDOWS\system32\jkhhh.dll not found.

OTMoveIt2 v1.0.19 log created on 02092008_131458

Edited by award001, 09 February 2008 - 01:40 PM.


#7 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 09 February 2008 - 01:39 PM

Deckard's System Scanner v20071014.68
Run by Aaron on 2008-02-09 13:41:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:16 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cox\Applications\app\ARSAsync.exe
C:\WINDOWS\explorer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Aaron\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aaron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PT_CancelPopups.clsPopups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: PT_FilterLinks.clsBypass - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {49C4ECB2-9676-4253-8E76-F333EE7E5513} (QDiagDAUUpdateObj Class) - http://autoupdate.dellfix.com/html/qdiagdau.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201369010078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553340000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9135 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080126-105437-223 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
backup-20080126-111123-506 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vysmryja.exe (file missing)
backup-20080126-114409-546 O2 - BHO: (no name) - {56ADD593-E7D2-4585-93D8-4DE49EB44133} - C:\WINDOWS\system32\jkhhh.dll (file missing)
backup-20080126-114453-982 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080126-114511-301 O2 - BHO: (no name) - {ad2f8dd1-6af1-47b8-ab75-4ce27c7c00ab} - C:\WINDOWS\system32\dupsrcj.dll
backup-20080126-114511-487 O2 - BHO: (no name) - {78375E69-D8D3-4D1E-A924-81B5A7B0D56F} - C:\Program Files\MSN\wofelep4444.dll (file missing)
backup-20080126-114512-268 O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
backup-20080126-114702-184 O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
backup-20080126-114702-253 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20080126-114702-385 O2 - BHO: (no name) - {2160D11E-46CD-463F-9187-2EDA2575AAED} - C:\Program Files\MSN\wofelep83122.dll (file missing)
backup-20080126-114702-584 O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
backup-20080126-114702-863 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
backup-20080126-114702-939 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080126-114708-252 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080126-114708-833 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080126-114848-901 O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
backup-20080126-121200-783 O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro .exe -rem
backup-20080209-130548-388 O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
backup-20080209-130548-439 F2 - REG:system.ini: Shell=
backup-20080209-130548-783 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080209-130548-858 O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
backup-20080209-130549-177 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
backup-20080209-130549-983 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 catchme - c:\docume~1\aaron\locals~1\temp\catchme.sys (file missing)
3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
3 dump_wmimmc - e:\aaron's stuff\nexon\maplestory\gameguard\dump_wmimmc.sys (file missing)
2 GRTdiMon (GR TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Global RISC; NSX>
2 npkcrypt - e:\aaron's stuff\nexon\maplestory\npkcrypt.sys (file missing)
1 USBINTELL - c:\windows\system32\drivers\usbintell.sys
3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 a2AntiMalware (a-squared Anti-Malware Service) - c:\program files\a-squared anti-malware\a2service.exe
2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
2 CurtainsSysSvc (Curtains for Windows System Service) - c:\program files\cox\applications\app\curtainssyssvcnt.exe <Not Verified; Authentium, Inc.; Curtains for Windows>
3 DSBrokerService - c:\program files\dellsupport\brkrsvc.exe
3 gusvc (Google Updater Service) - c:\program files\google\common\google updater\googleupdaterservice.exe (file missing)
3 nmraapache (Pure Networks Net2Go Service) - c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe
2 nmservice (Pure Networks Network Magic Service) - c:\program files\pure networks\network magic\nmsrvc.exe
2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-09 13:22:07 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-09 13:18:27 260 --a------ C:\WINDOWS\Tasks\CLEANMGR.job
2008-02-08 09:52:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-09 and 2008-02-09 -----------------------------

2008-02-08 10:40:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:34:32 0 d-------- C:\Documents and Settings\Sammi\Application Data\Yahoo!
2008-02-07 13:00:50 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-07 11:57:07 0 d-------- C:\Program Files\Common Files\Corel
2008-02-05 09:29:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 12:16:36 0 dr-h----- C:\Documents and Settings\Aaron\Recent
2008-01-31 13:21:27 0 d-------- C:\Program Files\Sun
2008-01-28 01:00:30 1942 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-27 17:01:10 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-26 10:49:05 0 d-------- C:\Program Files\Trend Micro
2008-01-26 00:10:16 0 d-------- C:\Program Files\CCleaner
2008-01-25 16:11:03 0 d-------- C:\WINDOWS\ERUNT
2008-01-25 00:17:31 0 d-------- C:\Program Files\Windows Defender
2008-01-24 13:09:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-01-24 10:17:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:22:56 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-01-23 15:41:09 155648 --a------ C:\WINDOWS\system32\NeroCheck .exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-01-23 14:02:11 0 d-------- C:\Program Files\Alwil Software
2008-01-23 13:35:19 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sammsoft
2008-01-22 23:11:15 0 d--h----- C:\WINDOWS\PIF
2008-01-22 22:51:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-01-22 22:51:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-22 22:51:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-22 22:51:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-22 22:51:33 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-22 14:47:11 0 d-------- C:\Documents and Settings\Aaron\Incomplete
2008-01-22 13:30:47 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-22 13:27:37 86016 --a------ C:\WINDOWS\system32\drivers\USBINTELL.sys
2008-01-21 12:29:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-02-09 13:03:43 31000 --a----c- C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 18:24:37 0 d-------- C:\Documents and Settings\Aaron\Application Data\Corel
2008-02-08 18:22:57 2568 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-08 10:40:24 0 d-------- C:\Program Files\Common Files
2008-02-07 13:00:51 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-07 12:59:42 0 dr-h----- C:\Documents and Settings\Aaron\Application Data\yahoo!
2008-02-07 11:57:07 0 d-------- C:\Program Files\Corel
2008-02-01 13:49:49 0 d-------- C:\Program Files\ItsDeductible2005
2008-02-01 13:44:43 0 d-------- C:\Program Files\TurboTax
2008-02-01 13:44:15 0 d-------- C:\Program Files\Common Files\Intuit
2008-01-31 13:21:08 0 d-------- C:\Program Files\Java
2008-01-28 11:09:00 0 d-------- C:\Program Files\Fisher-Price
2008-01-28 11:08:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-25 21:02:22 0 d-------- C:\Program Files\Common Files\PestPatrol
2008-01-24 13:12:09 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-01-24 12:00:51 0 d-------- C:\Program Files\MSECACHE
2008-01-23 18:27:09 0 d-------- C:\Program Files\QuickTime
2008-01-23 18:21:44 0 d-------- C:\Program Files\DellSupport
2008-01-23 17:53:03 0 d-------- C:\Program Files\iTunes
2008-01-23 17:53:00 0 d-------- C:\Program Files\ESPNRunTime
2008-01-23 17:52:56 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-01-23 17:52:36 0 d-------- C:\Program Files\Browser MOUSE
2008-01-22 14:45:53 0 d-------- C:\Documents and Settings\Aaron\Application Data\LimeWire
2007-12-28 10:15:20 0 d-------- C:\Program Files\iPod
2007-12-25 23:33:40 0 d-------- C:\Program Files\Pure Networks
2007-12-24 18:50:59 0 d-------- C:\Program Files\DIFX
2007-12-18 15:52:42 0 d-------- C:\Documents and Settings\Aaron\Application Data\CherryHill
2007-12-15 01:53:52 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [01/07/2008 05:56 PM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [03/14/2007 03:42 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [8/10/2004 2:04:12 PM]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [9/4/2005 11:04:51 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17fdc1e3-b27b-11dc-81f3-00111163a16a}]
AutoRun\command- F:\DCoTMenu.exe
menu\command- F:\DCoTMenu.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7904 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-09 13:43:35 ------------

Edited by award001, 09 February 2008 - 01:44 PM.


#8 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 09 February 2008 - 10:07 PM

Hi award001,

We've made progress but one driver is being a little stubborn.

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
sc stop USBINTELL >> results.txt 2>>&1
sc delete USBINTELL >> results.txt 2>>&1
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.
Teacher at Malware Removal University | ASAP & UNITE Member

#9 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 09 February 2008 - 11:08 PM

SERVICE_NAME: USBINTELL
TYPE : 1 KERNEL_DRIVER
STATE : 3 STOP_PENDING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
[SC] DeleteService SUCCESS

#10 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 10 February 2008 - 12:21 AM

OK please make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, click the Check All button, then un-check everything in the Extra Log section and press Scan!
Once complete, please post the new DSS main.txt report.
Teacher at Malware Removal University | ASAP & UNITE Member

#11 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 10 February 2008 - 05:53 PM

newest scan. And I can't tell you enough how much I am greatfull for the help

Deckard's System Scanner v20071014.68
Run by Aaron on 2008-02-10 22:54:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:35 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aaron.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PT_CancelPopups.clsPopups - {30C4957C-A15E-48E2-99ED-7623B8EF4182} - C:\Program Files\Picture Tools\PT_CancelPopups.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: PT_FilterLinks.clsBypass - {3C84954D-23A1-4D71-9185-6BE2BB312C24} - C:\Program Files\Picture Tools\PT_FilterLinks.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2500446450-1183952857-1878339321-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {49C4ECB2-9676-4253-8E76-F333EE7E5513} (QDiagDAUUpdateObj Class) - http://autoupdate.dellfix.com/html/qdiagdau.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201369010078
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553340000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ESP Security System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8607 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080126-105437-223 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
backup-20080126-111123-506 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vysmryja.exe (file missing)
backup-20080126-114409-546 O2 - BHO: (no name) - {56ADD593-E7D2-4585-93D8-4DE49EB44133} - C:\WINDOWS\system32\jkhhh.dll (file missing)
backup-20080126-114453-982 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080126-114511-301 O2 - BHO: (no name) - {ad2f8dd1-6af1-47b8-ab75-4ce27c7c00ab} - C:\WINDOWS\system32\dupsrcj.dll
backup-20080126-114511-487 O2 - BHO: (no name) - {78375E69-D8D3-4D1E-A924-81B5A7B0D56F} - C:\Program Files\MSN\wofelep4444.dll (file missing)
backup-20080126-114512-268 O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
backup-20080126-114702-184 O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
backup-20080126-114702-253 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20080126-114702-385 O2 - BHO: (no name) - {2160D11E-46CD-463F-9187-2EDA2575AAED} - C:\Program Files\MSN\wofelep83122.dll (file missing)
backup-20080126-114702-584 O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
backup-20080126-114702-863 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
backup-20080126-114702-939 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080126-114708-252 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20080126-114708-833 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080126-114848-901 O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
backup-20080126-121200-783 O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro .exe -rem
backup-20080209-130548-388 O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
backup-20080209-130548-439 F2 - REG:system.ini: Shell=
backup-20080209-130548-783 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080209-130548-858 O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
backup-20080209-130549-177 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
backup-20080209-130549-983 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 catchme - c:\docume~1\aaron\locals~1\temp\catchme.sys (file missing)
3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
3 dump_wmimmc - e:\aaron's stuff\nexon\maplestory\gameguard\dump_wmimmc.sys (file missing)
2 npkcrypt - e:\aaron's stuff\nexon\maplestory\npkcrypt.sys (file missing)
1 USBINTELL - c:\windows\system32\drivers\usbintell.sys
3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
3 DSBrokerService - c:\program files\dellsupport\brkrsvc.exe
2 dvpapi - c:\program files\common files\authentium\antivirus\dvpapi.exe
3 gusvc (Google Updater Service) - c:\program files\google\common\google updater\googleupdaterservice.exe (file missing)
3 nmraapache (Pure Networks Net2Go Service) - c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe
2 nmservice (Pure Networks Network Magic Service) - c:\program files\pure networks\network magic\nmsrvc.exe
2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-10 22:38:05 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-10 22:35:01 260 --a------ C:\WINDOWS\Tasks\CLEANMGR.job
2008-02-08 09:52:33 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-10 and 2008-02-10 -----------------------------

2008-02-10 21:59:34 0 d-------- C:\Program Files\Common Files\RuleSpace
2008-02-10 21:59:31 0 d-------- C:\Program Files\Common Files\Aluria
2008-02-10 21:59:18 0 d-------- C:\Program Files\Common Files\Authentium
2008-02-10 18:12:53 0 d-------- C:\Program Files\Neocodex Check V3
2008-02-08 10:40:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:34:32 0 d-------- C:\Documents and Settings\Sammi\Application Data\Yahoo!
2008-02-07 13:00:50 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-07 11:57:07 0 d-------- C:\Program Files\Common Files\Corel
2008-02-05 09:29:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 12:16:36 0 dr-h----- C:\Documents and Settings\Aaron\Recent
2008-01-31 13:21:27 0 d-------- C:\Program Files\Sun
2008-01-28 01:00:30 1942 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-27 17:01:10 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-26 10:49:05 0 d-------- C:\Program Files\Trend Micro
2008-01-26 00:10:16 0 d-------- C:\Program Files\CCleaner
2008-01-25 16:11:03 0 d-------- C:\WINDOWS\ERUNT
2008-01-25 00:17:31 0 d-------- C:\Program Files\Windows Defender
2008-01-24 13:09:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-01-24 10:17:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:22:56 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-01-23 15:41:09 155648 --a------ C:\WINDOWS\system32\NeroCheck .exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-01-23 14:02:11 0 d-------- C:\Program Files\Alwil Software
2008-01-23 13:35:19 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sammsoft
2008-01-22 23:11:15 0 d--h----- C:\WINDOWS\PIF
2008-01-22 22:51:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-01-22 22:51:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 22:51:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-22 22:51:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-22 22:51:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-22 22:51:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-22 22:51:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-22 22:51:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-22 22:51:33 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-22 14:47:11 0 d-------- C:\Documents and Settings\Aaron\Incomplete
2008-01-22 13:30:47 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-22 13:27:37 86016 --a------ C:\WINDOWS\system32\drivers\USBINTELL.sys
2008-01-21 12:29:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2008-02-10 22:12:38 0 d--h----- C:\Program Files\Common Files\Authentium Shared
2008-02-10 21:59:31 0 d-------- C:\Program Files\Common Files
2008-02-10 21:58:09 0 d-------- C:\Program Files\Common Files\PestPatrol
2008-02-09 13:03:43 31000 --a----c- C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 18:24:37 0 d-------- C:\Documents and Settings\Aaron\Application Data\Corel
2008-02-08 18:22:57 2568 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-07 13:00:51 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-07 12:59:42 0 dr-h----- C:\Documents and Settings\Aaron\Application Data\yahoo!
2008-02-07 11:57:07 0 d-------- C:\Program Files\Corel
2008-02-01 13:49:49 0 d-------- C:\Program Files\ItsDeductible2005
2008-02-01 13:44:43 0 d-------- C:\Program Files\TurboTax
2008-02-01 13:44:15 0 d-------- C:\Program Files\Common Files\Intuit
2008-01-31 13:21:08 0 d-------- C:\Program Files\Java
2008-01-28 11:09:00 0 d-------- C:\Program Files\Fisher-Price
2008-01-28 11:08:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-24 13:12:09 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-01-24 12:00:51 0 d-------- C:\Program Files\MSECACHE
2008-01-23 18:27:09 0 d-------- C:\Program Files\QuickTime
2008-01-23 18:21:44 0 d-------- C:\Program Files\DellSupport
2008-01-23 17:53:03 0 d-------- C:\Program Files\iTunes
2008-01-23 17:53:00 0 d-------- C:\Program Files\ESPNRunTime
2008-01-23 17:52:56 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-01-23 17:52:36 0 d-------- C:\Program Files\Browser MOUSE
2008-01-22 14:45:53 0 d-------- C:\Documents and Settings\Aaron\Application Data\LimeWire
2007-12-28 10:15:20 0 d-------- C:\Program Files\iPod
2007-12-25 23:33:40 0 d-------- C:\Program Files\Pure Networks
2007-12-24 18:50:59 0 d-------- C:\Program Files\DIFX
2007-12-18 15:52:42 0 d-------- C:\Documents and Settings\Aaron\Application Data\CherryHill
2007-12-15 01:53:52 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [03/14/2007 03:42 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [05/09/2007 01:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [8/10/2004 2:04:12 PM]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [9/4/2005 11:04:51 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
"disabletaskmgr"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17fdc1e3-b27b-11dc-81f3-00111163a16a}]
AutoRun\command- F:\DCoTMenu.exe
menu\command- F:\DCoTMenu.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7904 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-10 22:55:24 ------------

Edited by award001, 10 February 2008 - 10:57 PM.


#12 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 11 February 2008 - 08:45 AM

Hi award001,

We need to use some heavy artillery:

Please download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • If after ComboFix finishes you do not have internet access, then reboot your computer to restore it
  • When finished, it shall produce a log for you, please post it in your next response

Teacher at Malware Removal University | ASAP & UNITE Member

#13 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 11 February 2008 - 09:48 AM

ComboFix 08-02-11.2 - Aaron 2008-02-11 9:30:33.1 - NTFSx86

Running from: C:\Documents and Settings\Aaron\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\USBINTELL.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\USBINTELL.sys
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\system32\kwmaqqsm.dllbox
C:\WINDOWS\system32\MabryObj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_USBINTELL
-------\USBINTELL


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 21:59 . 2008-02-10 21:59 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-02-10 21:59 . 2008-02-10 22:02 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-02-10 21:59 . 2008-02-10 21:59 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-02-10 18:12 . 2008-02-10 18:13 <DIR> d-------- C:\Program Files\Neocodex Check V3
2008-02-09 13:14 . 2008-02-09 13:14 <DIR> d-------- C:\_OTMoveIt
2008-02-08 10:40 . 2008-02-08 10:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:34 . 2008-02-07 17:34 <DIR> d-------- C:\Documents and Settings\Sammi\Application Data\Yahoo!
2008-02-07 13:00 . 2008-02-07 13:02 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-07 12:08 . 2008-02-08 18:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 12:08 . 2008-02-07 12:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 11:57 . 2008-02-07 11:59 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-02-05 10:16 . 2008-02-06 10:56 336 --a------ C:\WINDOWS\wininit.ini
2008-02-05 09:29 . 2008-02-08 10:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 09:29 . 2008-02-08 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 13:21 . 2008-01-31 13:21 <DIR> d-------- C:\Program Files\Sun
2008-01-31 13:21 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-30 10:04 . 2008-01-31 12:21 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-30 10:04 . 2008-01-31 12:21 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-28 01:00 . 2008-01-28 01:00 1,942 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-27 17:01 . 2008-01-27 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-27 09:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-27 09:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-26 10:49 . 2008-01-26 10:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 00:10 . 2008-01-26 00:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 16:11 . 2008-01-25 16:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-25 00:17 . 2008-01-25 00:17 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-24 13:12 . 2007-03-23 11:01 26,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\purendis.sys
2008-01-24 13:12 . 2007-03-23 11:01 25,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pnarp.sys
2008-01-24 13:09 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-01-24 10:17 . 2008-01-24 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:22 . 2008-02-10 21:42 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-23 15:41 . 2008-01-23 16:08 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck .exe
2008-01-23 15:41 . 2008-01-23 16:08 114,688 --a------ C:\WINDOWS\SYSTEM32\igfxpers .exe
2008-01-23 15:41 . 2008-01-23 16:08 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-23 15:41 . 2008-01-23 16:08 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd .exe
2008-01-23 14:02 . 2008-01-23 14:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 13:35 . 2008-01-26 11:35 <DIR> d-------- C:\Documents and Settings\Aaron\Application Data\Sammsoft
2008-01-23 10:49 . 2008-01-23 16:03 174,592 --a------ C:\WINDOWS\SYSTEM32\LEXPPS .EXE
2008-01-22 23:11 . 2008-01-22 23:11 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-22 22:51 . 2004-12-01 03:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 14:47 . 2008-01-22 14:47 <DIR> d-------- C:\Documents and Settings\Aaron\Incomplete
2008-01-22 13:30 . 2008-01-22 13:30 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-01-21 12:29 . 2008-01-22 17:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 03:12 --------- d--h--w C:\Program Files\Common Files\Authentium Shared
2008-02-11 02:58 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-02-10 00:08 31,000 -c--a-w C:\Documents and Settings\Sammi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 18:03 31,000 -c--a-w C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 23:24 --------- d-----w C:\Documents and Settings\Aaron\Application Data\Corel
2008-02-07 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 18:00 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-07 17:59 --------- d--h--r C:\Documents and Settings\Aaron\Application Data\yahoo!
2008-02-07 16:57 --------- d-----w C:\Program Files\Corel
2008-02-07 16:56 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-02-01 18:49 --------- d-----w C:\Program Files\ItsDeductible2005
2008-02-01 18:44 --------- d-----w C:\Program Files\TurboTax
2008-02-01 18:44 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-01 18:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\MakeMusic
2008-01-31 18:21 --------- d-----w C:\Program Files\Java
2008-01-28 16:09 --------- d-----w C:\Program Files\Fisher-Price
2008-01-28 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 18:12 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-01-24 17:00 --------- d-----w C:\Program Files\MSECACHE
2008-01-23 23:27 --------- d-----w C:\Program Files\QuickTime
2008-01-23 23:21 --------- d-----w C:\Program Files\DellSupport
2008-01-23 22:53 --------- d-----w C:\Program Files\iTunes
2008-01-23 22:53 --------- d-----w C:\Program Files\ESPNRunTime
2008-01-23 22:52 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-01-23 22:52 --------- d-----w C:\Program Files\Browser MOUSE
2008-01-23 22:46 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-01-22 22:12 --------- d-----w C:\Documents and Settings\Sammi\Application Data\LimeWire
2008-01-22 19:45 --------- d-----w C:\Documents and Settings\Aaron\Application Data\LimeWire
2007-12-28 15:15 --------- d-----w C:\Program Files\iPod
2007-12-26 04:33 --------- d-----w C:\Program Files\Pure Networks
2007-12-24 23:50 --------- d-----w C:\Program Files\DIFX
2007-12-18 20:52 --------- d-----w C:\Documents and Settings\Aaron\Application Data\CherryHill
2007-12-15 06:53 --------- d-----w C:\Program Files\Apple Software Update
2006-06-12 00:43 53,824 -c--a-w C:\Documents and Settings\Alaina\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 02:34 53,824 -c--a-w C:\Documents and Settings\Liam\Application Data\GDIPFONTCACHEV1.DAT
2007-09-23 02:25 168 --sh--r C:\WINDOWS\SYSTEM32\DC3D69BC77.sys
.
<pre>
----a-w		   313,472 2008-01-23 21:10:19  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		 1,383,936 2008-01-23 21:08:30  C:\Program Files\ahead\InCD\InCD .exe
----a-w		 1,404,928 2008-01-23 21:08:23  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w		   360,448 2008-01-23 21:08:20  C:\Program Files\Browser MOUSE\mouse32a .exe
----a-w		   451,896 2008-01-23 21:09:36  C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
----a-w		   290,816 2008-01-23 21:08:05  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w		   270,336 2008-01-23 21:08:05  C:\Program Files\Dell AIO Printer A920\dlbkbmgr .exe
----a-w		   101,888 2008-01-23 21:08:29  C:\Program Files\ESPNRunTime\DIGServices .exe
----a-w		   221,184 2008-01-23 21:07:52  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   267,048 2008-01-23 21:09:48  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			53,248 2008-01-23 21:09:11  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
----a-w		   451,896 2008-01-23 21:09:41  C:\Program Files\Pure Networks\Network Magic\nmapp .exe
----a-w		   286,720 2008-01-23 20:42:26  C:\Program Files\QuickTime\QTTask .exe
----a-w			77,824 2008-01-23 21:08:41  C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w		   114,688 2008-01-23 21:08:51  C:\WINDOWS\SYSTEM32\igfxpers .exe
----a-w			94,208 2008-01-23 21:08:35  C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w		   174,592 2008-01-23 21:03:28  C:\WINDOWS\SYSTEM32\LEXPPS .EXE
----a-w		   155,648 2008-01-23 21:08:07  C:\WINDOWS\SYSTEM32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-09-04 11:04:51 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17fdc1e3-b27b-11dc-81f3-00111163a16a}]
\Shell\AutoRun\command - F:\DCoTMenu.exe
\Shell\menu\command - F:\DCoTMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 14:52:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-11 14:38:30 C:\WINDOWS\Tasks\CLEANMGR.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-02-11 14:41:40 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 09:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Cox\Applications\app\Console.exe
.
**************************************************************************
.
Completion time: 2008-02-11 9:45:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 14:45:50
.
2008-02-07 22:33:47 --- E O F ---

#14 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:05:40 PM

Posted 11 February 2008 - 08:12 PM

Hi award001,

Check that ComboFix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    Note: I have uploaded this file as CFScript.txt as an attachment so you can download it if you prefer
    RenV::
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
    C:\Program Files\ahead\InCD\InCD .exe
    C:\Program Files\Analog Devices\Core\smax4pnp .exe
    C:\Program Files\Browser MOUSE\mouse32a .exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth .exe
    C:\Program Files\Dell\Media Experience\PCMService .exe
    C:\Program Files\Dell AIO Printer A920\dlbkbmgr .exe
    C:\Program Files\ESPNRunTime\DIGServices .exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
    C:\Program Files\iTunes\iTunesHelper .exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
    C:\Program Files\Pure Networks\Network Magic\nmapp .exe
    C:\Program Files\QuickTime\QTTask .exe
    C:\WINDOWS\SYSTEM32\hkcmd .exe
    C:\WINDOWS\SYSTEM32\igfxpers .exe
    C:\WINDOWS\SYSTEM32\igfxtray .exe
    C:\WINDOWS\SYSTEM32\LEXPPS .EXE
    C:\WINDOWS\SYSTEM32\NeroCheck .exe
    FileLook::
    C:\WINDOWS\SYSTEM32\DC3D69BC77.sys
  • Save this to your Desktop as CFScript.

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Once complete, please post the new ComboFix report and a new HijackThis log.

Attached Files


Teacher at Malware Removal University | ASAP & UNITE Member

#15 award001

award001
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 11 February 2008 - 11:07 PM

ComboFix 08-02-11.2 - Aaron 2008-02-11 22:51:20.2 - NTFSx86

Running from: C:\Documents and Settings\Aaron\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aaron\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-10 21:59 . 2008-02-11 14:16 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-02-10 18:12 . 2008-02-10 18:13 <DIR> d-------- C:\Program Files\Neocodex Check V3
2008-02-09 13:14 . 2008-02-09 13:14 <DIR> d-------- C:\_OTMoveIt
2008-02-08 10:40 . 2008-02-08 10:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:34 . 2008-02-07 17:34 <DIR> d-------- C:\Documents and Settings\Sammi\Application Data\Yahoo!
2008-02-07 13:00 . 2008-02-07 13:02 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-02-07 12:08 . 2008-02-08 18:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 12:08 . 2008-02-07 12:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 11:57 . 2008-02-07 11:59 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-02-05 10:16 . 2008-02-06 10:56 336 --a------ C:\WINDOWS\wininit.ini
2008-02-05 09:29 . 2008-02-08 10:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 09:29 . 2008-02-08 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 13:21 . 2008-01-31 13:21 <DIR> d-------- C:\Program Files\Sun
2008-01-31 13:21 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-30 10:04 . 2008-01-31 12:21 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-30 10:04 . 2008-01-31 12:21 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-28 01:00 . 2008-01-28 01:00 1,942 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-27 17:01 . 2008-01-27 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-27 09:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-27 09:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-26 10:49 . 2008-01-26 10:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 00:10 . 2008-01-26 00:10 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 16:11 . 2008-01-25 16:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-25 00:17 . 2008-01-25 00:17 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-24 13:12 . 2007-03-23 11:01 26,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\purendis.sys
2008-01-24 13:12 . 2007-03-23 11:01 25,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pnarp.sys
2008-01-24 13:09 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-01-24 10:17 . 2008-01-24 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 21:22 . 2008-02-10 21:42 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-23 15:41 . 2008-01-23 16:08 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-01-23 15:41 . 2008-01-23 16:08 114,688 --a------ C:\WINDOWS\SYSTEM32\igfxpers.exe
2008-01-23 15:41 . 2008-01-23 16:08 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-23 15:41 . 2008-01-23 16:08 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-23 14:02 . 2008-01-23 14:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 13:35 . 2008-01-26 11:35 <DIR> d-------- C:\Documents and Settings\Aaron\Application Data\Sammsoft
2008-01-23 10:49 . 2008-01-23 16:03 174,592 --a------ C:\WINDOWS\SYSTEM32\LEXPPS.EXE
2008-01-22 23:11 . 2008-01-22 23:11 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-22 22:51 . 2004-12-01 03:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-22 14:47 . 2008-01-22 14:47 <DIR> d-------- C:\Documents and Settings\Aaron\Incomplete
2008-01-22 13:30 . 2008-01-22 13:30 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-01-21 12:29 . 2008-01-22 17:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 03:51 --------- d-----w C:\Program Files\QuickTime
2008-02-12 03:51 --------- d-----w C:\Program Files\iTunes
2008-02-12 03:51 --------- d-----w C:\Program Files\ESPNRunTime
2008-02-12 03:51 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-02-12 03:51 --------- d-----w C:\Program Files\Browser MOUSE
2008-02-11 19:16 --------- d--h--w C:\Program Files\Common Files\Authentium Shared
2008-02-11 02:58 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-02-10 00:08 31,000 -c--a-w C:\Documents and Settings\Sammi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 18:03 31,000 -c--a-w C:\Documents and Settings\Aaron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 23:24 --------- d-----w C:\Documents and Settings\Aaron\Application Data\Corel
2008-02-07 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-07 18:00 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-07 17:59 --------- d--h--r C:\Documents and Settings\Aaron\Application Data\yahoo!
2008-02-07 16:57 --------- d-----w C:\Program Files\Corel
2008-02-07 16:56 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2008-02-01 18:49 --------- d-----w C:\Program Files\ItsDeductible2005
2008-02-01 18:44 --------- d-----w C:\Program Files\TurboTax
2008-02-01 18:44 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-01 18:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\MakeMusic
2008-01-31 18:21 --------- d-----w C:\Program Files\Java
2008-01-28 16:09 --------- d-----w C:\Program Files\Fisher-Price
2008-01-28 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 18:12 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-01-24 17:00 --------- d-----w C:\Program Files\MSECACHE
2008-01-23 23:21 --------- d-----w C:\Program Files\DellSupport
2008-01-23 22:46 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-01-22 22:12 --------- d-----w C:\Documents and Settings\Sammi\Application Data\LimeWire
2008-01-22 19:45 --------- d-----w C:\Documents and Settings\Aaron\Application Data\LimeWire
2007-12-28 15:15 --------- d-----w C:\Program Files\iPod
2007-12-26 04:33 --------- d-----w C:\Program Files\Pure Networks
2007-12-24 23:50 --------- d-----w C:\Program Files\DIFX
2007-12-18 20:52 --------- d-----w C:\Documents and Settings\Aaron\Application Data\CherryHill
2007-12-15 06:53 --------- d-----w C:\Program Files\Apple Software Update
2006-06-12 00:43 53,824 -c--a-w C:\Documents and Settings\Alaina\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 02:34 53,824 -c--a-w C:\Documents and Settings\Liam\Application Data\GDIPFONTCACHEV1.DAT
2007-09-23 02:25 168 --sh--r C:\WINDOWS\SYSTEM32\DC3D69BC77.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-23 16:09 451896]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-09-04 11:04:51 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17fdc1e3-b27b-11dc-81f3-00111163a16a}]
\Shell\AutoRun\command - F:\DCoTMenu.exe
\Shell\menu\command - F:\DCoTMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 14:52:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-12 03:57:24 C:\WINDOWS\Tasks\CLEANMGR.job"
- C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
"2008-02-12 03:59:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 22:58:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-11 23:04:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 04:04:17
ComboFix2.txt 2008-02-11 14:45:56
.
2008-02-07 22:33:47 --- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users