Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Ad.yieldmanager And Fondlewindow


  • Please log in to reply
18 replies to this topic

#1 notdennycrane

notdennycrane

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 20 March 2008 - 10:51 PM

I did everything in your Prep site, including installing ZoneAlarm, but couldn't get Panda popup to stay open.
Programs removed various but still have ad.yieldmanager, servedby.advertising, and C:\hp\bin\FondleWindow.exe and Terminator.exe.
I saw postings they're ok and not ok related info.
Also have CoolWWWSearchDreplace.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:40 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A6A49249-57AE-4295-8D4D-18A9502C7D8E} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1118354390385
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179895191125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8625 bytes

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 07 April 2008 - 02:53 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#3 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 10 April 2008 - 12:11 PM

Thank you for your followup.
I still have: Fondlewindow
//ad.yieldmanager.com/st?ad_type=ifran
//served by.advertising.com/site=741457
and also have:
JS/Downloader.Agent
Trojan horse Generic_c.IKY
CoolWWWSearchDreplace.
Trojan.WinREG.StartPage
Trojan-Spy.HTML.Paylap.g
Trojan.Java.ClassLoader.ap

And my system is very slow to react to both online and to other actions.

Per your reply, and in hope of removing all, I have run the following with noted results:

- AVG:
- Virus found JS/Downloader.Agent","C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JSZS4YJ\iframe[1].htm"
- Trojan horse Generic_c.IKY","C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\45\1242c6ed-406b81d3",

-------------------------------------------------------------------------
- Spybot: - CoolWebSearch
-----------------------------------------------------------------------------
-CWS Shredder: Removed: CWS.misconfig [190 pages-too much text to post]
------------------------------------------------------------------------------------------------------
- Rogue Remover: - nothing found
-----------------------------------------------------------------------------
- Kaspersky:
- Trojan.WinREG.StartPage
- Trojan-Spy.HTML.Paylap.g
- Trojan.Java.ClassLoader.ap

-------------------------------------------------------------------------------------------------
HouseCall: TROJ_Generic C:\hp\bin\Fondle Window.exe [I did not Delete it]
5 “Profiling Cookies” [I Deleted these.]
-------------------------------------------
- Deckard’s - see separate 2 Log Files, 1 of which includes the HJT Log File
-----------------------------------------------------------------------------------------------------
- Zone Alarm as Firewall: removed after 1 week as I think really slowed computer and now again use Windows
_________________________________________________________________________________________________________


Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-09 16:21:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-04-10 00:21:20 UTC - RP26 - Deckard's System Scanner Restore Point
25: 2008-04-09 21:34:08 UTC - RP25 - System Checkpoint
24: 2008-04-08 20:59:39 UTC - RP24 - Configured AVG 7.5
23: 2008-04-08 20:05:39 UTC - RP23 - Software Distribution Service 3.0
22: 2008-04-08 17:35:45 UTC - RP22 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-21 05:59:41 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:15 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A6A49249-57AE-4295-8D4D-18A9502C7D8E} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1118354390385
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179895191125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8922 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R2 ppsio (PrmxPPDev) - c:\windows\system32\drivers\ppsio.sys <Not Verified; ; Flatbed DevDriver/NT4>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 Eplpdx02 - c:\windows\system32\drivers\eplpdx02.sys <Not Verified; MK Systems CO., LTD.; MK Systems LPT I/O Driver for Windows2000>
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 PCDRSRVC (PCDRSRVC - PCDR Kernel Mode Service Helper Driver) - c:\windows\system32\drivers\pcdrsrvc.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 15:42:35 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{04F28469-BC50-4EE5-91FF-8E02D0F96187}.job
2008-04-09 04:00:48 306 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-04-09 01:00:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2003-12-31 10:06:00 272 -----n--- C:\WINDOWS\Tasks\easy Internet sign-up.job


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 11:17:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 11:17:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-09 11:17:27 0 d-------- C:\WINDOWS\LastGood
2008-04-04 10:07:49 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-03-25 20:28:43 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-24 18:07:49 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-03-23 20:34:19 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-03-23 20:23:53 0 d-------- C:\Program Files\OpenOffice
2008-03-20 19:37:42 0 d-------- C:\Program Files\Trend Micro
2008-03-20 17:49:29 100294688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-20 17:40:04 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-20 17:36:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-20 17:36:23 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-03-20 17:35:04 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-03-19 22:23:33 0 d-------- C:\WINDOWS\BDOSCAN8
2008-03-17 20:19:24 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-17 10:16:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 10:16:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes


-- Find3M Report ---------------------------------------------------------------

2008-04-08 12:36:04 0 d-------- C:\Program Files\Yapta
2008-04-04 10:19:29 0 d-------- C:\Program Files\CCleaner
2008-04-02 14:56:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 04:43:14 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-30 17:00:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-03-28 22:52:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:25:09 0 d-------- C:\Documents and Settings\Owner\Application Data\RipIt4Me
2008-03-09 11:38:26 120 --a------ C:\Documents and Settings\Owner\Application Data\FixVTS.ini
2008-03-05 11:59:32 0 d-------- C:\Program Files\Windows Live Safety Center
2008-03-05 03:55:12 0 d-------- C:\Program Files\Common Files
2008-02-27 18:47:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Yapta
2008-02-20 12:22:46 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-20 12:22:34 0 d-------- C:\Program Files\MySpace
2008-02-10 23:45:19 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-02-10 23:44:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-02-10 10:10:13 3443 --a------ C:\WINDOWS\unins000.dat
2008-02-10 10:08:20 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 00:15:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
03/20/2008 05:40 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [03/20/2008 05:40 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 08:42 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/31/2002 06:28 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 06:02 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [11/02/2004 09:03 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [11/02/2004 08:59 AM]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [05/25/2005 11:12 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"VetTray"="C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" []
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" []
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/03/2004 11:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [05/25/2005 11:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
WKCALREM.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [6/20/2002 3:21:32 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 06:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
backup=C:\WINDOWS\pss\Norton Personal Firewall.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SlipStream.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SlipStream.lnk
backup=C:\WINDOWS\pss\SlipStream.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Storm Technology Launch Pad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Storm Technology Launch Pad.lnk
backup=C:\WINDOWS\pss\Storm Technology Launch Pad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Desktop Search System Tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk
backup=C:\WINDOWS\pss\Yahoo! Desktop Search System Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Desktop Search.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk
backup=C:\WINDOWS\pss\Yahoo! Desktop Search.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VetTray]
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"NVSvc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"IDriverT"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Zone Labs Client"=C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
"VetTray"=C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f10380a6-0cad-11d8-b49d-806d6172696f}]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com

7966 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-09 16:25:25 ------------

--------------------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.60GHz
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 503.52 MiB / 119.02 MiB
Pagefile Memory (total/avail): 4474.85 MiB / 3719.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.96 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 107.53 GiB total, 47.81 GiB free.
D: is Fixed (FAT32) - 4.24 GiB total, 0.69 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120025A - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 4.25 GiB - D:
\PARTITION1 (bootable) - Installable File System - 107.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\unzipped\\rawavrecorder\\rawavrecorder.exe"="C:\\unzipped\\rawavrecorder\\rawavrecorder.exe:*:Enabled:rawavrecorder"
"C:\\Program Files\\rawavrecorder\\rawavrecorder.exe"="C:\\Program Files\\rawavrecorder\\rawavrecorder.exe:*:Enabled:rawavrecorder"
"F:\\Drivers\\E_reg\\EpsonReg.exe"="F:\\Drivers\\E_reg\\EpsonReg.exe:*:Enabled:Epson Registration"
"C:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"="C:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe:*:Enabled:Net2Phone CommCenter Client GUI Module"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\LogMeIn\\LogMeIn.exe"="C:\\Program Files\\LogMeIn\\LogMeIn.exe:*:Enabled:LogMeIn.exe"
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Disabled:vncviewer.exe"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Disabled:winvnc4.exe"
"C:\\Program Files\\Net2Phone Dialer\\N2PDialr.exe"="C:\\Program Files\\Net2Phone Dialer\\N2PDialr.exe:*:Enabled:Internet Phone GUI Module"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\LMI155.tmp\\rescue.exe"="C:\\WINDOWS\\LMI155.tmp\\rescue.exe:*:Enabled:LogMeIn Rescue"
"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe"="C:\\Program Files\\LogMeIn\\LogMeInSystray.exe:*:Enabled:LogMeInSystray.exe"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=C:\Program Files\EasyPhoto\PhotoDeluxe 2.0\AdobeConnectables
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SYDNEY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\SYDNEY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCToolsDir=C:\Documents and Settings\All Users\Start Menu\Programs\Compaq\Compaq Presario PC Tools
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=SYDNEY
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Plus --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Ahead NeroVision Express --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
AT&T Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Canon iP4300 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300 /L0x0009
Canon iP4300 User Registration --> C:\Program Files\Canon\IJEREG\iP4300\UNINST.EXE
Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Setup Utility 2.3 --> "C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.3\uninst.ini
Capturex --> "C:\Program Files\Capturex\uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576
Confidence Online Portal Edition for Ameritrade --> rundll32.exe url.dll,FileProtocolHandler C:\Program Files\Mozilla Firefox\plugins\\UninstallPE.html
Detto IntelliMover --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA9F6EF5-E48A-4E45-BC57-AA16193763B7}\Setup.exe"
DivxToDVD 0.5.2b --> "C:\Program Files\vso\DivxToDVD\unins000.exe"
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Platinum 4.0.1.6 Beta Registered --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
easy Internet sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033
EasyPhoto Software --> C:\WINDOWS\uninst.exe -f"C:\Program Files\EasyPhoto\System\DeIsL3.isu"
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google SketchUp --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E1423608-F529-40A1-93CA-C7F396F30DF0}\setup.exe" -l0x9
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet printer preloaded drivers --> MsiExec.exe /X{48BD24F5-13DE-493A-A7CE-28A85113FF0C}
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
Instant Support --> C:\PROGRA~1\INSTAN~1\UNWISE.EXE C:\PROGRA~1\INSTAN~1\INSTALL.LOG
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
LogMeIn --> MsiExec.exe /I{245C2AEC-86C9-4ED2-B1C6-9C10709F5FD9}
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
LogMeIn --> MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Speech Recognition Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mscsr.inf, Uninstall.NT
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Net2Phone CommCenter --> C:\PROGRA~1\NET2PH~1\UNWISE.EXE /U C:\PROGRA~1\NET2PH~1\INSTALL.LOG
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
Quicken Deluxe 99 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\quickendeluxe99\Uninst.isu"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio EasyWrite Reader --> C:\WINDOWS\system32\MRFUNIN.EXE
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ShowBiz DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{60E80B13-8649-4A69-85E2-1AE99E061F43}\setup.exe" -l0x9
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
VoiceExplorer2005® --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Voice\UnInst.log" "/APPNAME=VoiceExplorer2005® "
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Companion --> regsvr32 /s /u C:\PROGRA~1\Yahoo!\Common\YCOMP5~1.DLL
Yahoo! Desktop Search --> "C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe" -uninstall
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Messenger Explorer Bar --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
Yapta --> "C:\Program Files\Yapta\uninstall.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type12707 / Warning
Event Submitted/Written: 04/09/2008 04:16:00 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}', feature 'AutoCorrect', component '{35FFCED1-0FE9-4DD3-AB18-37F11DF9CE79}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkAcFra.bin' does not exist.

Event Record #/Type12706 / Warning
Event Submitted/Written: 04/09/2008 04:16:00 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}', feature 'AutoCorrect', component '{35FFCED1-0FE9-4DD3-AB18-37F11DF9CE79}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkAcFra.bin' does not exist.

Event Record #/Type12705 / Warning
Event Submitted/Written: 04/09/2008 04:00:59 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}', feature 'AutoCorrect', component '{35FFCED1-0FE9-4DD3-AB18-37F11DF9CE79}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkAcFra.bin' does not exist.

Event Record #/Type12704 / Warning
Event Submitted/Written: 04/09/2008 04:00:59 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}', feature 'AutoCorrect', component '{35FFCED1-0FE9-4DD3-AB18-37F11DF9CE79}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkAcFra.bin' does not exist.

Event Record #/Type12703 / Warning
Event Submitted/Written: 04/09/2008 03:34:50 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}', feature 'AutoCorrect', component '{35FFCED1-0FE9-4DD3-AB18-37F11DF9CE79}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkAcFra.bin' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5533 / Warning
Event Submitted/Written: 04/09/2008 11:17:46 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SYDNEY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SYDNEY27 can't undo changes that you allow.

For more information please see the following:
%SYDNEY275

Scan ID: {5B505C26-1418-4E86-BCB1-A8B7B338A216}

User: SYDNEY\Owner

Name: %SYDNEY271

ID: %SYDNEY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SYDNEY276

Alert Type: %SYDNEY278

Detection Type: 1.1.1593.02

Event Record #/Type5531 / Warning
Event Submitted/Written: 04/09/2008 10:54:48 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SYDNEY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SYDNEY27 can't undo changes that you allow.

For more information please see the following:
%SYDNEY275

Scan ID: {B20BB8DB-5F13-48EB-8EE0-E1FFACCC304B}

User: SYDNEY\Owner

Name: %SYDNEY271

ID: %SYDNEY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SYDNEY276

Alert Type: %SYDNEY278

Detection Type: 1.1.1593.02

Event Record #/Type5529 / Warning
Event Submitted/Written: 04/09/2008 10:54:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SYDNEY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SYDNEY27 can't undo changes that you allow.

For more information please see the following:
%SYDNEY275

Scan ID: {C4FFCF34-237E-45A2-8F62-E6BE943BC05F}

User: SYDNEY\Owner

Name: %SYDNEY271

ID: %SYDNEY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SYDNEY276

Alert Type: %SYDNEY278

Detection Type: 1.1.1593.02

Event Record #/Type5528 / Warning
Event Submitted/Written: 04/09/2008 10:27:27 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type5527 / Warning
Event Submitted/Written: 04/09/2008 08:45:31 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SYDNEY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SYDNEY27 can't undo changes that you allow.

For more information please see the following:
%SYDNEY275

Scan ID: {005FD841-951B-411F-9F44-1A9C71CE8B09}

User: SYDNEY\Owner

Name: %SYDNEY271

ID: %SYDNEY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SYDNEY276

Alert Type: %SYDNEY278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-04-09 16:25:25 ------------

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 10 April 2008 - 12:16 PM

Can you please run Kaspersky, as recommended in the preparation guide.. :thumbsup:

#5 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 10 April 2008 - 12:23 PM

Sorry:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 3:32:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 621625


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 95655
Number of viruses found 3
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 03:21:23

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01222008-151847.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2b-Global.reg Infected: Trojan.WinREG.StartPage skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache50666.tmp.bac_a02236/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache50666.tmp.bac_a02236/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache50666.tmp.bac_a02236/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache50666.tmp.bac_a02236 ZIP: infected - 3 skipped

C:\Documents and Settings\Owner\.housecall6.6\Quarantine\jar_cache50666.tmp.bac_a02236 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\birk936j.default\cert8.db Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\birk936j.default\history.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\birk936j.default\key3.db Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\birk936j.default\parent.lock Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\birk936j.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\ebay.dbx/[From "" ][Date Mon, 03 May 2004 21:55:11 -0500]/html Infected: Trojan-Spy.HTML.Paylap.g skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\ebay.dbx Mail MS Outlook 5: infected - 1 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\Microsoft\Outlook Express\Smtp.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\birk936j.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\birk936j.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\birk936j.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\birk936j.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008040920080410\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\2224 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\WKS9.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF1241.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF28DF.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~Qil1364.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~Qil3698.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-1710473430-1971053414-3838943558-1003\Dc11.bak/[From "" ][Date Mon, 03 May 2004 21:55:11 -0500]/html Infected: Trojan-Spy.HTML.Paylap.g skipped

C:\RECYCLER\S-1-5-21-1710473430-1971053414-3838943558-1003\Dc11.bak Mail MS Outlook 5: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP25\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{0E3EF1D5-25EC-4DC3-8264-8F41335CB050}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 11 April 2008 - 11:19 AM

Hi there, and welcome to the forums. :thumbsup:

First things first, I don't see any active infections here whatsoever. There is nothing present in your logs which suggests you have a malware infection at all. At the moment you only have 504 MiB of memory, which is hardly sufficient to run XP with all the seurity programs you have installed, namely Adwatch, AVG antispyware, AVG7, Zone Alarm etc.. To speed up your PC you need to quickly install some new RAM, as at the moment it clearly is not able to struggle.

There are a few things we need to clean up, but the malware infections you stated above are simply leftover files which would not cause any sort of slowdown. Also, did you knowingly install Yapta?

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
O2 - BHO: (no name) - {A6A49249-57AE-4295-8D4D-18A9502C7D8E} - (no file)
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools': Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O19 - User stylesheet: (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Click Start > Control Panel.

Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

Click Delete Files.
The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.
- Delete Files
- View Applications
- View Applets
Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

#7 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 13 April 2008 - 10:20 PM

Thank you for your interest and efforts on my behalf.
- I’m not very computer savvy so if this is what I need to do to add RAM, lots of luck
http://www.ehow.com/how_409_upgrade-computers-ram.html

- I had installed Yapta months ago. I just now Uninstalled it.

- I "Fix Checked" those items you listed. Just to let you know in case you had an additional 09 you wanted me to check, your listing 09- Extra button: Yapta was listed twice.

- Your description options of JAVA cache was different than mine but I deleted Applications and Applets but did not Delete “Trace and Log Files.”

- On the General tab, I deleted Cookies and Temporary files. I usually do this several times a week.

- I ran cleanmgr and removed those files.

- How do I remove //ad.yieldmanager.com/st?ad_type=ifran and //served by.advertising.com/site=741457 ?

- Although I thought I’d long ago removed this via Add/Remove, it keeps showing up and I uncheck it on my Start Up list every time I reboot. I just now deleted it from My Computer Program Files:
"VetTray"="C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" [ ]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"

- I thought I’d removed Norton years ago.

- Computer still very slow from clik on Desktop Google icon to actual site comes up.

ComboFix 08-04-12.5 - Owner 2008-04-12 16:58:00.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\RECYCLER\Dividends.xls
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-09 16:20 . 2008-04-09 16:20 <DIR> d-------- C:\Deckard
2008-04-09 11:17 . 2008-04-09 11:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-09 11:17 . 2008-04-09 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-08 12:06 . 2008-04-08 12:14 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-07 15:27 . 2008-04-07 16:00 4,681,439,232 --a------ C:\BLUE_MURDER_SET1_D2.ISO
2008-04-03 04:22 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-25 20:28 . 2008-03-25 20:28 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-24 18:07 . 2008-04-10 19:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-03-23 20:34 . 2008-03-23 20:36 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-03-23 20:23 . 2008-03-23 20:26 <DIR> d-------- C:\Program Files\OpenOffice
2008-03-20 19:37 . 2008-03-20 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 17:49 . 2008-04-12 17:03 113,956,896 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-20 17:49 . 2008-04-12 17:45 1,336,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-20 17:40 . 2008-03-20 17:40 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-03-20 17:36 . 2008-03-20 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-20 17:36 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-20 17:36 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-20 17:35 . 2008-03-20 17:35 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-19 22:23 . 2008-03-24 20:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-17 20:19 . 2008-03-30 18:33 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-17 10:16 . 2008-03-17 10:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 10:16 . 2008-03-17 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-08 20:36 --------- d-----w C:\Program Files\Yapta
2008-04-08 07:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 18:19 --------- d-----w C:\Program Files\CCleaner
2008-04-01 12:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-31 01:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 20:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\RipIt4Me
2008-03-05 19:59 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 02:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yapta
2008-02-20 20:22 --------- d-----w C:\Program Files\MySpace
2008-02-20 20:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-10 18:08 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-12-06 06:01 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-05-26 17:51 808,208 ------w C:\Program Files\installPENP2K.exe
2006-01-13 04:38 5,225,384 ------w C:\Program Files\Firefox Setup 1.5.exe
2005-03-23 21:30 74,824 ------w C:\Program Files\Tara_v1.0.3b.exe
2004-01-28 18:35 3,865,632 ------w C:\Program Files\SOLOCommCenter56k.exe
2003-12-07 05:55 0 -csh--w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-03-20 17:40 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-03-20 17:40 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-03-20 17:40 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 11:12 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 18:28 81920]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 18:02 61440]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-11-02 09:03 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 08:59 126976]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 11:12 517632]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]
"VetTray"="C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" [ ]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 22:56 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 12:32 8699904]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
WKCALREM.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 03:21:32 24651]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton Personal Firewall.lnk
backup=C:\WINDOWS\pss\Norton Personal Firewall.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SlipStream.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SlipStream.lnk
backup=C:\WINDOWS\pss\SlipStream.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Storm Technology Launch Pad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Storm Technology Launch Pad.lnk
backup=C:\WINDOWS\pss\Storm Technology Launch Pad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Desktop Search System Tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk
backup=C:\WINDOWS\pss\Yahoo! Desktop Search System Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Desktop Search.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk
backup=C:\WINDOWS\pss\Yahoo! Desktop Search.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
--------- 2005-05-25 11:12 517632 C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 09:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--------- 2003-02-11 18:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--------- 2002-07-31 18:28 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2002-09-13 20:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VetTray]
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"NVSvc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"IDriverT"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Zone Labs Client"=C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
"VetTray"=C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\rawavrecorder\\rawavrecorder.exe"=
"C:\\Program Files\\Net2Phone CommCenter\\CommCtr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:*:Disabled:VNC

R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys [2003-12-09 17:21]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 ppsio;PrmxPPDev;C:\WINDOWS\system32\drivers\ppsio.sys [1998-01-15 15:46]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 SNXPCARD;Sunix PCI Multi I/O Card Driver;C:\WINDOWS\system32\DRIVERS\snxpcard.sys [2003-04-02 00:06]
S3 SNXPPALX;Sunix PCI Parallel Port Driver;C:\WINDOWS\system32\DRIVERS\snxppalx.sys [2003-04-06 18:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2003-12-31 18:06:00 C:\WINDOWS\Tasks\easy Internet sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-12 09:00:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-12 12:00:36 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-13 00:51:01 C:\WINDOWS\Tasks\User_Feed_Synchronization-{04F28469-BC50-4EE5-91FF-8E02D0F96187}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 17:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-12 17:07:04
ComboFix-quarantined-files.txt 2008-04-13 01:05:48
Pre-Run: 55,769,206,784 bytes free
Post-Run: 55,757,582,336 bytes free
.
2008-04-08 20:14:29 --- E O F ---

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 15 April 2008 - 11:42 AM

Ok, first off, Zone Alarm is still present in add/remove in the control panel, so please uninstall it!

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VetTray"=-
"Zone Labs Client"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Personal Firewall.lnk]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Can you describe to me how you feel you are infected with ad/yieldmanager?
Are you getting popups? Can you please be as detailed as possible. :thumbsup:

#9 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 16 April 2008 - 12:41 PM

- Zone Alarm removed
- fix.reg merge was successful

Other Results I notice so far:

- FondleWindow - appears to have disappeared. I can not get it to show up as before. I still see it listed in
C:\hp\bin\Fondle Window.exe. Also various sites say not harmful.

- I still occasionally get a small window, a Bad URL Blocker Window, http://ad.yieldmanager.com/st?ad_type=ifran from ‘Right Media’. The window is generated by Spybot and I clik on “Deny.” It usually appeared when I was on basic Yahoo site, switching between their “News” tabs. It occasionally shows up when I clik on dis-similiar links. It is sporatic and seems to have diminished if frequency. I see that ‘Right Media’ is associated with Yahoo?
I also see many reported removal requests at many sites such as http://forums.majorgeeks.com/showthread.php?t=151848 going back to at least 2005 as noted bottom of page.
It’s a minor annoyance I can live with.

- Standby or Hibernate or X ?: At night, I turn off monitor and in morning when I turn it on, or I just leave for lengths of time, monitor displays the No Signal screen. I then tap a key, green light on modem lights up, and up comes Desktop.
It affects AVG and others because computer goes into “standby or hibernate or x” state overnight, programs like AVG are not able to download Updates per times scheduled. I have to Download, Repair, and Update each time.
When I look at Power Options, Power Schemes, Settings of Energy Star Power scheme, System Hibernate, it shows “Never.” But when I look at Hibernate tab, box for “Enable Hiberation” is checked.
I don’t know what state computer is in. I do not want this whatever state as I use remote access.

Again, thank you for your assistance. I’m sorry to have taken your time for such minor pblms.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 19 April 2008 - 04:31 AM

Sorry for the delay in getting back to you, I had to spend a while looking up the files in question. First things first, that fondlewindow.exe file is nothing to worry about - as expected it's your AntiVirus giving you a false positive:
http://www.velocityreviews.com/forums/t209...dle-window.html

Fondlewindow.exe is a file shipped with the Original Equipment Manufacturer (OEM) version of Windows XP Operating System. Anti-virus software generally detects this file as a virus. Please be assured that this file is not a virus and you need not delete the file. The presence of this file on your computer would not create any issues on your computer.

Fondlewindow.exe that is present in your C:\HP\Bin folder is not a virus. This program along with terminator, cloaker, spawn and KillWind executables are part of the BackWeb program that was preinstalled in your PC.

With regard to the popups you are receiving, i'm almost sure they aren't caused by malware on your actual PC. Some sites will always give you popups, regardless of how clean your computer is. "It occasionally shows up when I clik on dis-similiar links." - I'm afraid that this is something most people in the computing world come to live with, every now and then, everyone gets a popup. Infections on computers that cause popups give you about 10 every minute..

I can see a clean Hijackthis log here, as far as I can tell, you're PC is in a perfectly clean state. With regards to the hibernation, can't you just untick the "enable hibernation" on the hibernation tab? Let me try and explain - when you hibernate, the PC effectively turns off, so you won't be able to download anything whilst the system is in hibernation. Can't you change the scheduled time to a time when the PC is not asleep?

#11 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 22 April 2008 - 12:13 PM

I realize the following are not in total what my original “Post” was about, but possibly connected to the actions we have taken. If not appropriate here, I’ll submit a new posting.

- I still get the ad.yieldmanager Spybot protection window but almost exclusively when I’m on Yahoo email and yahoo news. As you note, I can live with it.

- I don’t think it’s in ‘Hibernate’ as I don’t have to hit the power button. I just tap any key and monitor comes alive and modem ethernet light turns on from nothing to green.
I only get “ diagnostic self test” screen if I’ve turned off the monitor, and again I just tap a key.
I conclude this is normal operation - yes/no?

- What’s new is that after I re-boot and re-activate AVG Free, after 10 minutes or so I have to Download and clik Repair or Install as the Email Scanner stops functioning.
- Also I usually have to re-install Win Defender after each re-boot.

- Greater pblm I’ve noticed and so have friends/relatives that no matter what program/file/folder, and cliking for IE, that we try to activate, computers are really slow to respond. Plus don’t get hourglass but get arrow. I wonder if it could be due to something in 1 of those Microsoft "Updates" in the past 5 months that we received & installed?
- We all are receiving a lot of not responding freezes, which sometimes then when use C/A/D to End Task computer also freezes.
- Also receiving a lot of “IE encountered a problem ... “ window.

Once again I appreciate your time and attention to my pblms/questions. And this opportunity to learn. And I am making a donation.

#12 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 22 April 2008 - 12:23 PM

But where is your donation link???

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 23 April 2008 - 06:09 AM

Ahh ok, I understand now about the yieldmanager popup. This is unforunately something you are going to have to live with, unless you invest in a popup blocker, as it's a frequent compaint that Yahoo will display these kind of popups, especially on their free email service. As you've installed Internet Explorer 7, you get the functionality of a pop-up blocker without having to download any third party software. The Pop-up Blocker is automatically enabled IE7 so most pop-ups should be blocked on your computer.

To enable Internet Explorer 7's pop-up blocker first click on the Tools menu, located at the far right hand side of your browser's Tab Bar. When the drop-down menu appears, select the Pop-up Blocker option. A sub-menu will now appear to the right. To activate the pop-up blocker, simply select the option labeled Turn On Pop-up Blocker, located in this same sub-menu. This might help resolve the Yahoo popup, but if truth be told, the IE7 popup blocker isn't that effective.

With regards to the hibernation and display issue, it's exactly the same on my own PC, so I assume that yes, it's normal action. If you are having to repair AVG every time you reboot, you may have a corrupted installation, so you could try uninstalling the entire program, then reinstalling it? With internet explorer 7, it's not uncommon for those kind of problems to be reported - I really do think it's just a very buggy program. Have you tried going to Windows Update and getting the latest patches that might fix the browser problems? Also, for the system crashed, it is most likely down to the fact you only have 500mbs of RAM - to run windows XP I recommend at least twice as much (1G).

Just taking another look at your log now, it appears as though you have 2 firewalls active. I know you tried to uninstall Zone Alarm, but it looks as though there are still some components running - this could cause conflicts and slowdowns. Let's remove it with force:
Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

Folder::
C:\WINDOWS\system32\ZoneLabs

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. No need to post it back here.

Open notepad and copy and paste the following text in the quote box into the window:

@echo off
sc stop vsmon
sc delete vsmon

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Let me know how you get on, and if there are any improvements.

By the way, the donation link is in my signature and also at the following hyperlink.

#14 notdennycrane

notdennycrane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 23 April 2008 - 11:49 AM

Regarding
"Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. No need to post it back here."

When i do this, I get the Disclaimer. Before I chose OK, should I run the Windows Recovery??

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:46 AM

Posted 23 April 2008 - 12:27 PM

No need to run the Recovery console, that's just a precautionary measure we can fall back on if things go wrong.
When yo run combofix with the text file, just press OK after the disclaimer. Hope that helps..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users