Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Darksma Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 mandymershon

mandymershon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 26 April 2008 - 12:33 PM

This is my first time posting and my first time trying to remove something this difficult from my computer. My husband wants to just back up everything and nuke the computer but I would rather try your advice first.

Here is my HijackThis file:
Deckard's System Scanner v20071014.68
Run by Mandy on 2008-04-26 12:21:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2008-04-26 17:21:19 UTC - RP196 - Deckard's System Scanner Restore Point
54: 2008-04-25 20:31:32 UTC - RP195 - Last known good configuration
53: 2008-04-25 20:31:25 UTC - RP194 - Last known good configuration
52: 2008-04-25 20:31:24 UTC - RP193 - Norton Internet Security post configuration restore point
51: 2008-04-25 20:31:24 UTC - RP192 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-25 20:31:23 UTC - RP142 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-26 12:23:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mandy\Desktop\dss.exe
C:\Program Files\Build-a-lot 2 - Town of the Year\Buildalot2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {02AD31CD-0950-4803-8EF9-ADC2A8C3F7C7} - C:\WINDOWS\system32\ssQiHbya.dll
O2 - BHO: {0a9695ba-c716-af5a-3614-3c6ef639bfb5} - {5bfb936f-e6c3-4163-a5fa-617cab5969a0} - C:\WINDOWS\system32\jssriqyu.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\wvUMCvVn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [BM039c7024] Rundll32.exe "C:\WINDOWS\system32\cirphpcw.dll",s
O4 - HKLM\..\Run: [00af43b8] rundll32.exe "C:\WINDOWS\system32\fjfxphuw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (file missing)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205048848875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205051068046
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: wvUMCvVn - C:\WINDOWS\system32\wvUMCvVn.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe


--
End of file - 8349 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>
S2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SMC EZ Card 10/100 PCI (SMC1211 Series)
Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&2E98101C&0&00F0
Manufacturer: SMC
Name: SMC EZ Card 10/100 PCI (SMC1211 Series)
PNP Device ID: PCI\VEN_1113&DEV_1211&SUBSYS_12111113&REV_10\4&2E98101C&0&00F0
Service: SMC1211

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_2019107B&REV_02\4&2E98101C&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_2019107B&REV_02\4&2E98101C&0&40F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-20 03:00:00 252 --a------ C:\WINDOWS\Tasks\defrag.job
2008-04-09 10:47:06 386 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1205077626.job


-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 11:41:15 107072 --a------ C:\WINDOWS\system32\jssriqyu.dll
2008-04-26 11:38:14 95808 --a------ C:\WINDOWS\system32\fjfxphuw.dll
2008-04-26 11:35:54 106048 --a------ C:\WINDOWS\system32\sytpjvfd.dll
2008-04-26 11:35:13 517354 --ahs---- C:\WINDOWS\system32\jQqsBJjl.ini2
2008-04-26 11:35:08 283136 --a------ C:\WINDOWS\system32\ljJBsqQj.dll
2008-04-26 11:16:36 107072 --a------ C:\WINDOWS\system32\jrpnrnxo.dll
2008-04-26 11:14:26 95808 -----n--- C:\WINDOWS\system32\ofacldhm.dll
2008-04-26 11:14:16 106048 --a------ C:\WINDOWS\system32\gkvtumxn.dll
2008-04-26 10:38:58 95808 -----n--- C:\WINDOWS\system32\ehbajxkv.dll
2008-04-26 10:35:58 107072 --a------ C:\WINDOWS\system32\ulvelatq.dll
2008-04-26 10:33:45 106048 --a------ C:\WINDOWS\system32\urqemhpp.dll
2008-04-26 10:32:53 283136 -----n--- C:\WINDOWS\system32\urqPiGWN.dll
2008-04-26 08:53:54 107072 --a------ C:\WINDOWS\system32\jicystnb.dll
2008-04-26 08:51:25 95808 -----n--- C:\WINDOWS\system32\uecbyaeq.dll
2008-04-26 08:51:18 106048 --a------ C:\WINDOWS\system32\cirphpcw.dll
2008-04-26 08:06:16 107072 --a------ C:\WINDOWS\system32\gxxuboqg.dll
2008-04-26 08:05:55 106048 --a------ C:\WINDOWS\system32\pcifuwyj.dll
2008-04-26 08:05:13 519467 --ahs---- C:\WINDOWS\system32\bKUFNqss.ini2
2008-04-26 08:05:08 283136 --a------ C:\WINDOWS\system32\ssqNFUKb.dll
2008-04-25 17:55:33 107072 --a------ C:\WINDOWS\system32\fugmvpdo.dll
2008-04-25 17:55:04 105536 --a------ C:\WINDOWS\system32\yxmgjygn.dll
2008-04-25 17:54:16 529329 --ahs---- C:\WINDOWS\system32\abHNpXbc.ini2
2008-04-25 17:54:05 281088 --a------ C:\WINDOWS\system32\cbXpNHba.dll
2008-04-25 15:34:13 107072 --a------ C:\WINDOWS\system32\eukctuas.dll
2008-04-25 15:32:04 105536 --a------ C:\WINDOWS\system32\twkltcvo.dll
2008-04-25 15:16:27 107072 --a------ C:\WINDOWS\system32\byqhumkq.dll
2008-04-25 15:16:18 105536 --a------ C:\WINDOWS\system32\xmbavtmp.dll
2008-04-24 22:35:26 88640 --a------ C:\WINDOWS\system32\xchtnmgc.dll
2008-04-24 22:32:26 100416 --a------ C:\WINDOWS\system32\mdyklqcj.dll
2008-04-24 22:30:07 96320 --a------ C:\WINDOWS\system32\xbnlmhue.dll
2008-04-24 20:11:56 100416 --a------ C:\WINDOWS\system32\osywrwic.dll
2008-04-24 20:11:37 96320 --a------ C:\WINDOWS\system32\nqvylqfs.dll
2008-04-24 20:10:53 421926 --ahs---- C:\WINDOWS\system32\ffPWHkkj.ini2
2008-04-24 20:10:48 272384 --a------ C:\WINDOWS\system32\jkkHWPff.dll
2008-04-24 12:24:32 100416 --a------ C:\WINDOWS\system32\glpbpjgy.dll
2008-04-24 12:20:13 96320 --a------ C:\WINDOWS\system32\wfnjgrkk.dll
2008-04-24 00:34:58 0 d-------- C:\Program Files\Symantec
2008-04-24 00:34:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 00:33:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 22:58:04 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-23 22:57:59 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-23 22:19:22 93248 --a------ C:\WINDOWS\system32\xenamexd.dll
2008-04-23 22:17:17 89152 --a------ C:\WINDOWS\system32\gewcbfxg.dll
2008-04-23 22:17:01 95808 --a------ C:\WINDOWS\system32\dgjsmmgn.dll
2008-04-23 22:16:20 419124 --ahs---- C:\WINDOWS\system32\EMlSYcfe.ini2
2008-04-23 22:16:16 272384 --a------ C:\WINDOWS\system32\efcYSlME.dll
2008-04-23 22:08:55 97856 --a------ C:\WINDOWS\system32\wynvlidt.dll
2008-04-23 22:08:41 95808 --a------ C:\WINDOWS\system32\yofjinyb.dll
2008-04-23 13:02:45 37888 --a------ C:\WINDOWS\system32\hgGyxVOF.dll
2008-04-23 11:08:47 97856 --a------ C:\WINDOWS\system32\ydpafrus.dll
2008-04-23 11:02:46 95808 --a------ C:\WINDOWS\system32\rtfcrrvr.dll
2008-04-23 09:19:15 97856 --a------ C:\WINDOWS\system32\rikiqqps.dll
2008-04-22 21:57:17 37888 --a------ C:\WINDOWS\system32\qoMcYQKA.dll
2008-04-22 21:40:55 37888 --a------ C:\WINDOWS\system32\iIbxvVOH.dll
2008-04-22 21:10:15 517923 --ahs---- C:\WINDOWS\system32\aybHiQss.ini2
2008-04-22 21:10:10 272384 --a------ C:\WINDOWS\system32\ssQiHbya.dll
2008-04-22 21:05:13 37888 --a------ C:\WINDOWS\system32\tuvvWmmj.dll
2008-04-22 21:05:07 37888 --a------ C:\WINDOWS\system32\wvUMCvVn.dll
2008-04-22 20:52:42 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-20 15:47:43 0 d-------- C:\Program Files\Build-a-lot 2 - Town of the Year
2008-04-20 14:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-20 14:43:10 0 d-------- C:\WINDOWS\Build-a-lot 2 - Town of the Year
2008-04-20 14:37:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 14:32:02 0 --a------ C:\Program Files\temp01
2008-04-11 01:21:05 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-04-11 01:20:58 0 d-------- C:\Program Files\DivX
2008-04-11 01:14:29 0 d-------- C:\Program Files\The Playa
2008-04-11 01:12:28 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-04-11 01:12:28 27648 --a------ C:\WINDOWS\system32\ir50_lcs.dll <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2008-04-11 01:12:28 143872 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-04-08 21:30:26 0 d-------- C:\Documents and Settings\Mandy\Application Data\Corel


-- Find3M Report ---------------------------------------------------------------

2008-04-25 15:46:44 0 d-------- C:\Program Files\Common Files
2008-04-22 20:09:02 0 d-------- C:\Program Files\EA GAMES
2008-04-20 15:40:05 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-07 23:10:14 0 d-------- C:\Program Files\Google
2008-03-23 22:47:52 0 d-------- C:\Program Files\Jane's Combat Simulations
2008-03-23 19:29:41 0 d-------- C:\Documents and Settings\Mandy\Application Data\Adobe
2008-03-19 00:05:20 0 d-------- C:\Documents and Settings\Mandy\Application Data\HP
2008-03-17 21:36:50 0 d-------- C:\Program Files\MagicDisc
2008-03-17 21:21:07 0 d-------- C:\Program Files\MagicISO
2008-03-16 15:13:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-11 16:57:52 0 d-------- C:\Program Files\Ahead
2008-03-11 16:49:33 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-10 21:05:28 0 d-------- C:\Documents and Settings\Mandy\Application Data\Yahoo!
2008-03-10 02:34:24 0 d-------- C:\Program Files\Yahoo!
2008-03-10 02:32:56 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-10 00:54:16 0 d-------- C:\Program Files\Zune
2008-03-09 20:58:20 0 d-------- C:\Program Files\The Weather Channel Toolbar
2008-03-09 18:52:49 0 d-------- C:\Program Files\Microsoft Games
2008-03-09 18:42:08 88 -r-hs---- C:\WINDOWS\system32\F133C7A714.sys
2008-03-09 18:40:45 0 d-------- C:\Program Files\Common Files\Corel
2008-03-09 18:39:41 0 d-------- C:\Program Files\Corel
2008-03-09 15:23:00 0 d-------- C:\Documents and Settings\Mandy\Application Data\Macromedia
2008-03-09 15:01:12 0 d-------- C:\Documents and Settings\Mandy\Application Data\Identities
2008-03-09 10:41:33 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-09 10:39:45 0 d-------- C:\Program Files\MSBuild
2008-03-09 10:36:00 0 d-------- C:\Program Files\Reference Assemblies
2008-03-09 10:35:00 0 d-------- C:\Program Files\MSXML 6.0
2008-03-09 10:34:22 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-09 04:42:37 0 d-------- C:\Program Files\MSXML 4.0
2008-03-09 04:39:32 0 d-------- C:\Program Files\Messenger
2008-03-09 03:45:05 0 d-------- C:\Program Files\Movie Maker
2008-03-09 03:43:57 0 d-------- C:\Program Files\Windows NT
2008-03-09 02:47:58 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-09 02:41:52 0 d-------- C:\Program Files\uTorrent
2008-03-09 02:38:35 0 d-------- C:\Program Files\Creative
2008-03-09 02:38:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-09 02:38:06 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 02:38:06 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-09 02:34:09 90691 --a------ C:\WINDOWS\hpiins01.dat
2008-03-09 02:31:37 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-09 02:31:14 0 d-------- C:\Program Files\Common Files\HP
2008-03-09 02:29:25 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-09 02:26:45 0 d-------- C:\Program Files\HP
2008-03-09 02:24:08 20454 --a------ C:\WINDOWS\hpoins01.dat
2008-03-09 02:22:14 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-09 02:18:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-09 02:14:43 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-09 02:13:41 0 d-------- C:\Program Files\ATI Technologies
2008-03-09 02:06:15 0 d-------- C:\Program Files\Snapshot Viewer
2008-03-09 02:05:12 0 d-------- C:\Program Files\microsoft frontpage
2008-03-09 01:36:27 0 d-------- C:\Program Files\Gateway
2008-03-09 01:35:39 0 d-------- C:\Program Files\Common Files\Lanovation
2008-03-09 01:33:32 0 d-------- C:\Program Files\Microsoft Works
2008-03-09 01:25:10 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 01:23:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-09 01:14:37 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-03-09 01:05:08 1157 --a------ C:\WINDOWS\checkip.dat
2008-03-09 00:33:16 0 -rahs---- C:\MSDOS.SYS
2008-03-09 00:33:16 0 -rahs---- C:\IO.SYS
2008-03-09 00:33:16 0 --a------ C:\CONFIG.SYS
2008-03-09 00:33:16 0 --a------ C:\AUTOEXEC.BAT
2008-03-09 00:31:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-09 00:31:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-09 00:30:21 0 d-------- C:\Program Files\Online Services
2008-03-09 00:30:12 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-08 18:22:56 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-08 18:22:53 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-08 18:22:32 62 --ahs---- C:\Documents and Settings\Mandy\Application Data\desktop.ini
2008-03-04 08:29:22 327680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll <Not Verified; ; Weather Channel Toolbar>
2008-03-04 08:25:36 98304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll <Not Verified; ; Weather Channel Toolbar BHO>
2008-02-25 22:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02AD31CD-0950-4803-8EF9-ADC2A8C3F7C7}]
04/22/2008 09:10 PM 272384 --a------ C:\WINDOWS\system32\ssQiHbya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5bfb936f-e6c3-4163-a5fa-617cab5969a0}]
04/26/2008 11:41 AM 107072 --a------ C:\WINDOWS\system32\jssriqyu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6C54318-5AC7-477D-B0A7-49AF5189300C}]
04/22/2008 09:05 PM 37888 --a------ C:\WINDOWS\system32\wvUMCvVn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [03/23/2006 05:06 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 03:56 PM C:\WINDOWS\CTHELPER.EXE]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [09/24/2005 01:08 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 03:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [01/11/2008 05:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]
"BM039c7024"="C:\WINDOWS\system32\cirphpcw.dll" [04/26/2008 08:51 AM]
"00af43b8"="C:\WINDOWS\system32\fjfxphuw.dll" [04/26/2008 11:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 2:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [9/20/2006 10:17:10 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A6C54318-5AC7-477D-B0A7-49AF5189300C}"= C:\WINDOWS\system32\wvUMCvVn.dll [04/22/2008 09:05 PM 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUMCvVn]
wvUMCvVn.dll 04/22/2008 09:05 PM 37888 C:\WINDOWS\system32\wvUMCvVn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssQiHbya

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-26 12:25:57 ------------




And the extra text:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2558.73 MiB / 1846.57 MiB
Pagefile Memory (total/avail): 4452.05 MiB / 3665.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.6 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 12.12 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD800BB-53DKA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE1 - HP psc 2175 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Documents and Settings\\Mandy\\Local Settings\\Temporary Internet Files\\Content.IE5\\LZV7VM3R\\utorrent[1].exe"="C:\\Documents and Settings\\Mandy\\Local Settings\\Temporary Internet Files\\Content.IE5\\LZV7VM3R\\utorrent[1].exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mandy\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE-PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mandy
LOGONSERVER=\\OFFICE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mandy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mandy\LOCALS~1\Temp
USERDOMAIN=OFFICE-PC
USERNAME=Mandy
USERPROFILE=C:\Documents and Settings\Mandy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tim (admin)
Mandy (admin)
Julia


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\oggcodecs\uninst.exe
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\unmrw.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Build-a-lot 2 - Town of the Year --> "C:\WINDOWS\Build-a-lot 2 - Town of the Year\uninstall.exe" "/U:C:\Program Files\Build-a-lot 2 - Town of the Year\Uninstall\uninstall.xml"
CA Yahoo! Anti-Spy (remove only) --> "C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
Corel Paint Shop Pro Photo X2 --> MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
DivX 5.0.1 Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
Flight Simulator X -->
Flight Simulator X Service Pack 1 -->
Gateway Drivers and Applications Recovery --> C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
Gateway IE Customizations --> C:\Program Files\\Gateway\IECustom\IEProj.exe UNINSTALL
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Earth Pro --> MsiExec.exe /X{9578C0CD-8108-4379-9026-4601F59859A0}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 6.0 --> C:\Program Files\Hewlett-Packard\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 2170 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
HP Photosmart Cameras 6.0 --> C:\Program Files\Hewlett-Packard\Digital Imaging\{61CF89F5-5175-4b3b-ABB8-C89821252D50}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\Hewlett-Packard\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
hp psc 2170 series --> MsiExec.exe /X{93FB47FB-4FDF-4131-B5FD-7A37883868E7}
hp psc 2170 series --> rundll32 hpzcon07.dll,VendorJettison hp psc 2170 series
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\Hewlett-Packard\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\CDUninst.isu
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.6.93 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator X --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Flight Simulator X --> MsiExec.exe /X{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Flight Simulator X Service Pack 1 --> c:\WINDOWS\system32\msiexec.exe /qb /l*vx "%TEMP%\FlightSimPatchUninstall.log" /uninstall {92635E02-4C29-4A8F-AA82-7B8B95C823D3} /package {9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Flight Simulator X: Acceleration --> C:\WINDOWS\system32\msiexec.exe /qb /l*vx "%TEMP%\FlightSimUninstall.log" /uninstall {A9729B90-D37B-4A69-B66A-7436AC1F7274}
Microsoft Flight Simulator X: Acceleration --> MsiExec.exe /I{A9729B90-D37B-4A69-B66A-7436AC1F7274}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Small Business --> MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NeroVision Express Content --> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
The Playa --> "C:\Program Files\The Playa\uninstall.exe"
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Family Fun Stuff --> C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
The Sims 2 Glamour Life Stuff --> C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 Celebration! Stuff --> C:\Program Files\EA GAMES\The Sims 2 Celebration! Stuff\EAUninstall.exe
The Sims™ 2 FreeTime --> C:\Program Files\EA GAMES\The Sims 2 FreeTime\EAUninstall.exe
The Sims™ 2 H&M® Fashion Stuff --> C:\Program Files\EA GAMES\The Sims 2 H&M® Fashion Stuff\EAUninstall.exe
The Sims™ 2 Kitchen & Bath Interior Design Stuff --> C:\Program Files\EA GAMES\The Sims 2 Kitchen & Bath Interior Design Stuff\EAUninstall.exe
The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
The Sims™ 2 Teen Style Stuff --> C:\Program Files\EA GAMES\The Sims 2 Teen Style Stuff\EAUninstall.exe
The Weather Channel Toolbar --> C:\PROGRA~1\THEWEA~1\UNWISE.EXE C:\PROGRA~1\THEWEA~1\twcINSTALL.LOG
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR --> "C:\WINDOWS\WinRAR\uninstall.exe" "/U:C:\Program Files\WinRAR\Uninstall\uninstall.xml"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Music Jukebox --> MsiExec.exe /X{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zune --> MsiExec.exe /X{7583239A-D4BE-48CA-A253-396122B3D3E9}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1309 / Error
Event Submitted/Written: 04/26/2008 11:36:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1293 / Warning
Event Submitted/Written: 04/26/2008 09:03:00 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type939 / Warning
Event Submitted/Written: 04/24/2008 06:15:31 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: warning

Automatic LiveUpdate produced an unexpected exit code: 1; advancing schedule...

Event Record #/Type777 / Error
Event Submitted/Written: 04/24/2008 00:01:45 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 686628912.

Event Record #/Type776 / Error
Event Submitted/Written: 04/24/2008 00:01:44 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 686628912.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4387 / Error
Event Submitted/Written: 04/26/2008 00:24:32 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the WMP54Gv4SVC service.

Event Record #/Type4382 / Error
Event Submitted/Written: 04/26/2008 10:27:43 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type4356 / Error
Event Submitted/Written: 04/26/2008 09:03:40 AM / 04/26/2008 09:04:07 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type4354 / Warning
Event Submitted/Written: 04/26/2008 09:04:06 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0018F828CEE7. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type4353 / Warning
Event Submitted/Written: 04/26/2008 09:03:57 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0018F828CEE7. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-04-26 12:25:57 ------------




Thanks!
Mandy

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:37 PM

Posted 27 April 2008 - 09:31 AM

Hi Mandy,

We can solve this..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mandymershon

mandymershon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 27 April 2008 - 10:04 AM

Awesome! Thanks!

Combofix log:
ComboFix 08-04-26.3 - Mandy 2008-04-27 9:38:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1968 [GMT -5:00]
Running from: C:\Documents and Settings\Mandy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abHNpXbc.ini
C:\WINDOWS\system32\abHNpXbc.ini2
C:\WINDOWS\system32\aybHiQss.ini
C:\WINDOWS\system32\aybHiQss.ini2
C:\WINDOWS\system32\bKUFNqss.ini
C:\WINDOWS\system32\bKUFNqss.ini2
C:\WINDOWS\system32\bnqltfwe.ini
C:\WINDOWS\system32\byqhumkq.dll
C:\WINDOWS\system32\cbXpNHba.dll
C:\WINDOWS\system32\cgmnthcx.ini
C:\WINDOWS\system32\cirphpcw.dll
C:\WINDOWS\system32\cnlgyxlc.dll
C:\WINDOWS\system32\dgjsmmgn.dll
C:\WINDOWS\system32\ebscngdq.dll
C:\WINDOWS\system32\efcYSlME.dll
C:\WINDOWS\system32\EMlSYcfe.ini
C:\WINDOWS\system32\EMlSYcfe.ini2
C:\WINDOWS\system32\eukctuas.dll
C:\WINDOWS\system32\ffPWHkkj.ini
C:\WINDOWS\system32\ffPWHkkj.ini2
C:\WINDOWS\system32\frgrlhvb.dll
C:\WINDOWS\system32\fugmvpdo.dll
C:\WINDOWS\system32\fwtfgirq.ini
C:\WINDOWS\system32\gewcbfxg.dll
C:\WINDOWS\system32\gkvtumxn.dll
C:\WINDOWS\system32\glpbpjgy.dll
C:\WINDOWS\system32\gxfbcweg.ini
C:\WINDOWS\system32\gxxuboqg.dll
C:\WINDOWS\system32\hgGyxVOF.dll
C:\WINDOWS\system32\hxxrwyjr.ini
C:\WINDOWS\system32\iIbxvVOH.dll
C:\WINDOWS\system32\jicystnb.dll
C:\WINDOWS\system32\jkkHWPff.dll
C:\WINDOWS\system32\jogdbkns.ini
C:\WINDOWS\system32\jQqsBJjl.ini
C:\WINDOWS\system32\jQqsBJjl.ini2
C:\WINDOWS\system32\jrpnrnxo.dll
C:\WINDOWS\system32\jssriqyu.dll
C:\WINDOWS\system32\jthuwknn.dll
C:\WINDOWS\system32\ljJBsqQj.dll
C:\WINDOWS\system32\lrejvlpv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdyklqcj.dll
C:\WINDOWS\system32\mhdlcafo.ini
C:\WINDOWS\system32\nacycqda.dll
C:\WINDOWS\system32\nqvylqfs.dll
C:\WINDOWS\system32\onbdrelu.ini
C:\WINDOWS\system32\osywrwic.dll
C:\WINDOWS\system32\pcifuwyj.dll
C:\WINDOWS\system32\qdgncsbe.ini
C:\WINDOWS\system32\qeaybceu.ini
C:\WINDOWS\system32\qiapbpsk.dll
C:\WINDOWS\system32\qoMcYQKA.dll
C:\WINDOWS\system32\qrigftwf.dll
C:\WINDOWS\system32\qytamhlo.dll
C:\WINDOWS\system32\rikiqqps.dll
C:\WINDOWS\system32\rtfcrrvr.dll
C:\WINDOWS\system32\ssQiHbya.dll
C:\WINDOWS\system32\ssqNFUKb.dll
C:\WINDOWS\system32\sytpjvfd.dll
C:\WINDOWS\system32\TtAIlUtv.ini
C:\WINDOWS\system32\TtAIlUtv.ini2
C:\WINDOWS\system32\tuvvWmmj.dll
C:\WINDOWS\system32\twkltcvo.dll
C:\WINDOWS\system32\UCLloUtv.ini
C:\WINDOWS\system32\UCLloUtv.ini2
C:\WINDOWS\system32\ulvelatq.dll
C:\WINDOWS\system32\urqemhpp.dll
C:\WINDOWS\system32\vkxjabhe.ini
C:\WINDOWS\system32\vplvjerl.ini
C:\WINDOWS\system32\vtUkiHxw.dll
C:\WINDOWS\system32\vtUlIAtT.dll
C:\WINDOWS\system32\vtUolLCU.dll
C:\WINDOWS\system32\wfnjgrkk.dll
C:\WINDOWS\system32\wuhpxfjf.ini
C:\WINDOWS\system32\wvUMCvVn.dll
C:\WINDOWS\system32\wxHikUtv.ini
C:\WINDOWS\system32\wxHikUtv.ini2
C:\WINDOWS\system32\wynvlidt.dll
C:\WINDOWS\system32\xbnlmhue.dll
C:\WINDOWS\system32\xchtnmgc.dll
C:\WINDOWS\system32\xenamexd.dll
C:\WINDOWS\system32\xmbavtmp.dll
C:\WINDOWS\system32\ydpafrus.dll
C:\WINDOWS\system32\yofjinyb.dll
C:\WINDOWS\system32\yxmgjygn.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 12:21 . 2008-04-26 12:21 <DIR> d-------- C:\Deckard
2008-04-25 15:43 . 2008-04-25 15:47 8,591 --a------ C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
2008-04-24 20:14 . 2008-04-24 21:20 2,372,768 --ahs---- C:\WINDOWS\system32\fixwrpkf.ini
2008-04-24 12:21 . 2008-04-25 07:58 2,712,245 --ahs---- C:\WINDOWS\system32\uqksfesb.ini
2008-04-24 00:34 . 2008-04-25 15:46 <DIR> d-------- C:\Program Files\Symantec
2008-04-24 00:34 . 2008-04-25 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 00:33 . 2008-04-25 16:00 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 22:58 . 2008-04-23 22:58 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-23 22:57 . 2008-04-25 17:48 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-23 22:08 . 2008-04-23 22:09 1,540,737 --ahs---- C:\WINDOWS\system32\lhkawjml.ini
2008-04-23 11:05 . 2008-04-23 18:53 1,540,662 --ahs---- C:\WINDOWS\system32\nfvcxfba.ini
2008-04-23 09:16 . 2008-04-24 12:19 1,509,579 --ahs---- C:\WINDOWS\system32\mursyvth.ini
2008-04-23 09:13 . 2008-04-27 08:19 109,791 --a------ C:\WINDOWS\BM039c7024.xml
2008-04-22 20:52 . 2008-04-22 20:52 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-20 15:47 . 2008-04-20 15:47 <DIR> d-------- C:\Program Files\Build-a-lot 2 - Town of the Year
2008-04-20 14:43 . 2008-04-20 14:43 <DIR> d-------- C:\WINDOWS\Build-a-lot 2 - Town of the Year
2008-04-20 14:43 . 2008-04-20 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-20 14:37 . 2008-04-20 15:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 01:21 . 1999-12-17 11:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-04-11 01:20 . 2008-04-11 01:21 <DIR> d-------- C:\Program Files\DivX
2008-04-11 01:14 . 2008-04-11 01:14 <DIR> d-------- C:\Program Files\The Playa
2008-04-11 01:12 . 1997-08-27 09:53 391,168 --a------ C:\WINDOWS\system32\i263_32.drv
2008-04-11 01:12 . 1998-02-13 14:30 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2008-04-11 01:12 . 1997-06-13 08:56 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-04-11 01:12 . 1997-11-06 12:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll
2008-04-11 01:12 . 2008-04-11 01:12 5,767 --a------ C:\WINDOWS\system32\CDUninst.isu
2008-04-08 21:30 . 2008-04-08 21:30 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 01:09 --------- d-----w C:\Program Files\EA GAMES
2008-04-20 19:32 0 ----a-w C:\Program Files\temp01
2008-04-08 04:10 --------- d-----w C:\Program Files\Google
2008-03-24 03:47 --------- d-----w C:\Program Files\Jane's Combat Simulations
2008-03-19 05:05 --------- d-----w C:\Documents and Settings\Mandy\Application Data\HP
2008-03-18 15:41 --------- d-----w C:\Documents and Settings\Julia\Application Data\Yahoo!
2008-03-18 02:36 --------- d-----w C:\Program Files\MagicDisc
2008-03-18 02:21 --------- d-----w C:\Program Files\MagicISO
2008-03-16 20:22 --------- d-----w C:\Documents and Settings\Tim\Application Data\Ahead
2008-03-16 20:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-11 21:57 --------- d-----w C:\Program Files\Ahead
2008-03-11 21:49 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-11 02:05 --------- d-----w C:\Documents and Settings\Mandy\Application Data\Yahoo!
2008-03-10 07:34 --------- d-----w C:\Program Files\Yahoo!
2008-03-10 07:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-10 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-03-10 07:32 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-03-10 05:54 --------- d-----w C:\Program Files\Zune
2008-03-10 05:53 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-10 05:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2008-03-10 01:58 --------- d-----w C:\Program Files\The Weather Channel Toolbar
2008-03-10 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-10 01:53 --------- d-----w C:\Documents and Settings\Tim\Application Data\Yahoo!
2008-03-09 23:52 --------- d-----w C:\Program Files\Microsoft Games
2008-03-09 23:42 --------- d-----w C:\Documents and Settings\Tim\Application Data\Corel
2008-03-09 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-03-09 23:40 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-09 23:39 --------- d-----w C:\Program Files\Corel
2008-03-09 15:47 --------- d-----w C:\Documents and Settings\Tim\Application Data\HP
2008-03-09 15:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-09 15:39 --------- d-----w C:\Program Files\MSBuild
2008-03-09 15:36 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-09 15:35 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-09 15:34 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-09 09:42 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-09 07:41 --------- d-----w C:\Program Files\uTorrent
2008-03-09 07:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 07:38 --------- d-----w C:\Program Files\Creative
2008-03-09 07:38 --------- d-----w C:\Documents and Settings\Tim\Application Data\Creative
2008-03-09 07:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-03-09 07:31 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-09 07:31 --------- d-----w C:\Program Files\Common Files\HP
2008-03-09 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-09 07:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-09 07:26 --------- d-----w C:\Program Files\HP
2008-03-09 07:22 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-09 07:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-09 07:13 --------- d-----w C:\Program Files\ATI Technologies
2008-03-09 07:06 --------- d-----w C:\Program Files\Snapshot Viewer
2008-03-09 07:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-09 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SBT
2008-03-09 06:54 --------- d-----w C:\Documents and Settings\Tim\Application Data\Microsoft Web Folders
2008-03-09 06:36 --------- d-----w C:\Program Files\Gateway
2008-03-09 06:35 --------- d-----w C:\Program Files\Common Files\Lanovation
2008-03-09 06:33 0 ----a-w C:\WINDOWS\system32\drivers\GATEWAY__101.MRK
2008-03-09 06:33 --------- d-----w C:\Program Files\Microsoft Works
2008-03-09 06:30 542,976 ----a-w C:\WINDOWS\system32\drivers\smwdm.sys
2008-03-09 06:30 4,816 ----a-w C:\WINDOWS\system32\drivers\aeaudio.sys
2008-03-09 06:30 3,744 ----a-w C:\WINDOWS\system32\drivers\smsens.sys
2008-03-09 06:25 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-09 06:23 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-09 06:14 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-09 06:14 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2006-09-20 15:13 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
2006-09-20 15:13 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
2006-09-20 15:13 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
2006-09-20 15:13 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
2006-09-20 15:13 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
2006-09-20 15:13 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-09-24 01:08 49152]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 15:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Julia\Start Menu\Programs\Startup\
Internet Explorer.lnk - C:\Program Files\Internet Explorer\iexplore.exe [2008-03-09 00:31:06 625664]

C:\Documents and Settings\Tim\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-17 21:23:51 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 01:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2006-09-20 10:17:10 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUMCvVn]
wvUMCvVn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
R3 SaiH0464;SaiH0464;C:\WINDOWS\system32\DRIVERS\SaiH0464.sys [2005-11-03 10:52]
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 11:06]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-27 08:00:00 C:\WINDOWS\Tasks\defrag.job"
- C:\WINDOWS\system32\defrag.exe
"2008-04-09 15:47:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1205077626.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 09:50:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-04-27 9:57:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 14:57:04

Pre-Run: 12,916,576,256 bytes free
Post-Run: 13,482,266,624 bytes free

291 --- E O F --- 2008-04-10 08:02:51



Hijackthis log:
Deckard's System Scanner v20071014.68
Run by Mandy on 2008-04-27 10:00:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mandy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:17 AM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mandy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mandy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205048848875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205051068046
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: wvUMCvVn - wvUMCvVn.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7237 bytes

-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 10:00:12 0 d-------- C:\Program Files\Trend Micro
2008-04-27 09:36:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-27 09:36:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-27 09:36:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-27 09:36:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-27 09:36:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-27 09:36:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-27 09:36:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-27 09:36:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 00:34:58 0 d-------- C:\Program Files\Symantec
2008-04-24 00:34:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 00:33:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 22:58:04 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-23 22:57:59 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-22 20:52:42 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-20 15:47:43 0 d-------- C:\Program Files\Build-a-lot 2 - Town of the Year
2008-04-20 14:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-20 14:43:10 0 d-------- C:\WINDOWS\Build-a-lot 2 - Town of the Year
2008-04-20 14:37:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 14:32:02 0 --a------ C:\Program Files\temp01
2008-04-11 01:21:05 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-04-11 01:20:58 0 d-------- C:\Program Files\DivX
2008-04-11 01:14:29 0 d-------- C:\Program Files\The Playa
2008-04-11 01:12:28 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-04-11 01:12:28 27648 --a------ C:\WINDOWS\system32\ir50_lcs.dll <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2008-04-11 01:12:28 143872 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-04-08 21:30:26 0 d-------- C:\Documents and Settings\Mandy\Application Data\Corel


-- Find3M Report ---------------------------------------------------------------

2008-04-25 15:46:44 0 d-------- C:\Program Files\Common Files
2008-04-22 20:09:02 0 d-------- C:\Program Files\EA GAMES
2008-04-20 15:40:05 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-07 23:10:14 0 d-------- C:\Program Files\Google
2008-03-23 22:47:52 0 d-------- C:\Program Files\Jane's Combat Simulations
2008-03-23 19:29:41 0 d-------- C:\Documents and Settings\Mandy\Application Data\Adobe
2008-03-19 00:05:20 0 d-------- C:\Documents and Settings\Mandy\Application Data\HP
2008-03-17 21:36:50 0 d-------- C:\Program Files\MagicDisc
2008-03-17 21:21:07 0 d-------- C:\Program Files\MagicISO
2008-03-16 15:13:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-11 16:57:52 0 d-------- C:\Program Files\Ahead
2008-03-11 16:49:33 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-10 21:05:28 0 d-------- C:\Documents and Settings\Mandy\Application Data\Yahoo!
2008-03-10 02:34:24 0 d-------- C:\Program Files\Yahoo!
2008-03-10 02:32:56 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-10 00:54:16 0 d-------- C:\Program Files\Zune
2008-03-09 20:58:20 0 d-------- C:\Program Files\The Weather Channel Toolbar
2008-03-09 18:52:49 0 d-------- C:\Program Files\Microsoft Games
2008-03-09 18:42:08 88 -rahs---- C:\WINDOWS\system32\F133C7A714.sys
2008-03-09 18:40:45 0 d-------- C:\Program Files\Common Files\Corel
2008-03-09 18:39:41 0 d-------- C:\Program Files\Corel
2008-03-09 15:23:00 0 d-------- C:\Documents and Settings\Mandy\Application Data\Macromedia
2008-03-09 15:01:12 0 d-------- C:\Documents and Settings\Mandy\Application Data\Identities
2008-03-09 10:41:33 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-09 10:39:45 0 d-------- C:\Program Files\MSBuild
2008-03-09 10:36:00 0 d-------- C:\Program Files\Reference Assemblies
2008-03-09 10:35:00 0 d-------- C:\Program Files\MSXML 6.0
2008-03-09 10:34:22 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-09 04:42:37 0 d-------- C:\Program Files\MSXML 4.0
2008-03-09 04:39:32 0 d-------- C:\Program Files\Messenger
2008-03-09 03:45:05 0 d-------- C:\Program Files\Movie Maker
2008-03-09 03:43:57 0 d-------- C:\Program Files\Windows NT
2008-03-09 02:47:58 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-09 02:41:52 0 d-------- C:\Program Files\uTorrent
2008-03-09 02:38:35 0 d-------- C:\Program Files\Creative
2008-03-09 02:38:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-09 02:38:06 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 02:38:06 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-09 02:34:09 90691 --a------ C:\WINDOWS\hpiins01.dat
2008-03-09 02:31:37 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-09 02:31:14 0 d-------- C:\Program Files\Common Files\HP
2008-03-09 02:29:25 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-09 02:26:45 0 d-------- C:\Program Files\HP
2008-03-09 02:24:08 20454 --a------ C:\WINDOWS\hpoins01.dat
2008-03-09 02:22:14 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-09 02:18:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-09 02:14:43 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-09 02:13:41 0 d-------- C:\Program Files\ATI Technologies
2008-03-09 02:06:15 0 d-------- C:\Program Files\Snapshot Viewer
2008-03-09 02:05:12 0 d-------- C:\Program Files\microsoft frontpage
2008-03-09 01:36:27 0 d-------- C:\Program Files\Gateway
2008-03-09 01:35:39 0 d-------- C:\Program Files\Common Files\Lanovation
2008-03-09 01:33:32 0 d-------- C:\Program Files\Microsoft Works
2008-03-09 01:25:10 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 01:23:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-09 01:14:37 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-03-09 01:05:08 1157 --a------ C:\WINDOWS\checkip.dat
2008-03-09 00:33:16 0 -rahs---- C:\MSDOS.SYS
2008-03-09 00:33:16 0 -rahs---- C:\IO.SYS
2008-03-09 00:33:16 0 --a------ C:\CONFIG.SYS
2008-03-09 00:33:16 0 --a------ C:\AUTOEXEC.BAT
2008-03-09 00:31:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-09 00:31:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-09 00:30:21 0 d-------- C:\Program Files\Online Services
2008-03-09 00:30:12 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-08 18:22:56 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-08 18:22:53 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-08 18:22:32 62 --ahs---- C:\Documents and Settings\Mandy\Application Data\desktop.ini
2008-03-04 08:29:22 327680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll <Not Verified; ; Weather Channel Toolbar>
2008-03-04 08:25:36 98304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll <Not Verified; ; Weather Channel Toolbar BHO>
2008-02-25 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [03/23/2006 05:06 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 03:56 PM C:\WINDOWS\CTHELPER.EXE]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [09/24/2005 01:08 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 03:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [01/11/2008 05:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 2:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [9/20/2006 10:17:10 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUMCvVn]
wvUMCvVn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-27 10:00:40 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:37 PM

Posted 27 April 2008 - 10:16 AM

Hi Mandy,

The first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

I see that your Internet Explorer is set to start up with Windows for the Julia account. I do not recommend this, so we'll remove that startup entry as well.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Documents and Settings\Julia\Start Menu\Programs\Startup\Internet Explorer.lnk
C:\WINDOWS\system32\fixwrpkf.ini
C:\WINDOWS\system32\uqksfesb.ini
C:\WINDOWS\system32\lhkawjml.ini
C:\WINDOWS\system32\nfvcxfba.ini
C:\WINDOWS\system32\mursyvth.ini
C:\WINDOWS\BM039c7024.xml
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUMCvVn]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 27 April 2008 - 10:17 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mandymershon

mandymershon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 27 April 2008 - 03:57 PM

My crazy husband accidently closed the CF log before I could save or copy/paste it but here is the HijackThis log:

Deckard's System Scanner v20071014.68
Run by Mandy on 2008-04-27 15:55:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mandy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:43 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mandy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mandy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-790525478-879983540-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Tim')
O4 - HKUS\S-1-5-21-790525478-879983540-725345543-1004\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" (User 'Tim')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-21-790525478-879983540-725345543-1004 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Tim')
O4 - S-1-5-21-790525478-879983540-725345543-1004 User Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Tim')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205048848875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205051068046
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7567 bytes

-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 10:00:12 0 d-------- C:\Program Files\Trend Micro
2008-04-27 09:36:36 68096 --a------ C:\WINDOWS\zip.exe
2008-04-27 09:36:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-27 09:36:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-27 09:36:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-27 09:36:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-27 09:36:36 98816 --a------ C:\WINDOWS\sed.exe
2008-04-27 09:36:36 80412 --a------ C:\WINDOWS\grep.exe
2008-04-27 09:36:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 00:34:58 0 d-------- C:\Program Files\Symantec
2008-04-24 00:34:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 00:33:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 22:58:04 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-23 22:57:59 0 d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-04-22 20:52:42 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-20 15:47:43 0 d-------- C:\Program Files\Build-a-lot 2 - Town of the Year
2008-04-20 14:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-20 14:43:10 0 d-------- C:\WINDOWS\Build-a-lot 2 - Town of the Year
2008-04-20 14:37:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 14:32:02 0 --a------ C:\Program Files\temp01
2008-04-11 01:21:05 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-04-11 01:20:58 0 d-------- C:\Program Files\DivX
2008-04-11 01:14:29 0 d-------- C:\Program Files\The Playa
2008-04-11 01:12:28 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-04-11 01:12:28 27648 --a------ C:\WINDOWS\system32\ir50_lcs.dll <Not Verified; Intel Corporation.; Intel Indeo® video 5.0 LC>
2008-04-11 01:12:28 143872 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-04-08 21:30:26 0 d-------- C:\Documents and Settings\Mandy\Application Data\Corel


-- Find3M Report ---------------------------------------------------------------

2008-04-25 15:46:44 0 d-------- C:\Program Files\Common Files
2008-04-22 20:09:02 0 d-------- C:\Program Files\EA GAMES
2008-04-20 15:40:05 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-07 23:10:14 0 d-------- C:\Program Files\Google
2008-03-23 22:47:52 0 d-------- C:\Program Files\Jane's Combat Simulations
2008-03-23 19:29:41 0 d-------- C:\Documents and Settings\Mandy\Application Data\Adobe
2008-03-19 00:05:20 0 d-------- C:\Documents and Settings\Mandy\Application Data\HP
2008-03-17 21:36:50 0 d-------- C:\Program Files\MagicDisc
2008-03-17 21:21:07 0 d-------- C:\Program Files\MagicISO
2008-03-16 15:13:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-11 16:57:52 0 d-------- C:\Program Files\Ahead
2008-03-11 16:49:33 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-10 21:05:28 0 d-------- C:\Documents and Settings\Mandy\Application Data\Yahoo!
2008-03-10 02:34:24 0 d-------- C:\Program Files\Yahoo!
2008-03-10 02:32:56 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-10 00:54:16 0 d-------- C:\Program Files\Zune
2008-03-09 20:58:20 0 d-------- C:\Program Files\The Weather Channel Toolbar
2008-03-09 18:52:49 0 d-------- C:\Program Files\Microsoft Games
2008-03-09 18:42:08 88 -rahs---- C:\WINDOWS\system32\F133C7A714.sys
2008-03-09 18:40:45 0 d-------- C:\Program Files\Common Files\Corel
2008-03-09 18:39:41 0 d-------- C:\Program Files\Corel
2008-03-09 15:23:00 0 d-------- C:\Documents and Settings\Mandy\Application Data\Macromedia
2008-03-09 15:01:12 0 d-------- C:\Documents and Settings\Mandy\Application Data\Identities
2008-03-09 10:41:33 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-09 10:39:45 0 d-------- C:\Program Files\MSBuild
2008-03-09 10:36:00 0 d-------- C:\Program Files\Reference Assemblies
2008-03-09 10:35:00 0 d-------- C:\Program Files\MSXML 6.0
2008-03-09 10:34:22 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-09 04:42:37 0 d-------- C:\Program Files\MSXML 4.0
2008-03-09 04:39:32 0 d-------- C:\Program Files\Messenger
2008-03-09 03:45:05 0 d-------- C:\Program Files\Movie Maker
2008-03-09 03:43:57 0 d-------- C:\Program Files\Windows NT
2008-03-09 02:47:58 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-09 02:41:52 0 d-------- C:\Program Files\uTorrent
2008-03-09 02:38:35 0 d-------- C:\Program Files\Creative
2008-03-09 02:38:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-09 02:38:06 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 02:38:06 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-09 02:34:09 90691 --a------ C:\WINDOWS\hpiins01.dat
2008-03-09 02:31:37 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-09 02:31:14 0 d-------- C:\Program Files\Common Files\HP
2008-03-09 02:29:25 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-09 02:26:45 0 d-------- C:\Program Files\HP
2008-03-09 02:24:08 20454 --a------ C:\WINDOWS\hpoins01.dat
2008-03-09 02:22:14 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-09 02:18:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-09 02:14:43 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-09 02:13:41 0 d-------- C:\Program Files\ATI Technologies
2008-03-09 02:06:15 0 d-------- C:\Program Files\Snapshot Viewer
2008-03-09 02:05:12 0 d-------- C:\Program Files\microsoft frontpage
2008-03-09 01:36:27 0 d-------- C:\Program Files\Gateway
2008-03-09 01:35:39 0 d-------- C:\Program Files\Common Files\Lanovation
2008-03-09 01:33:32 0 d-------- C:\Program Files\Microsoft Works
2008-03-09 01:25:10 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 01:23:41 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-09 01:14:37 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-03-09 01:05:08 1157 --a------ C:\WINDOWS\checkip.dat
2008-03-09 00:33:16 0 -rahs---- C:\MSDOS.SYS
2008-03-09 00:33:16 0 -rahs---- C:\IO.SYS
2008-03-09 00:33:16 0 --a------ C:\CONFIG.SYS
2008-03-09 00:33:16 0 --a------ C:\AUTOEXEC.BAT
2008-03-09 00:31:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-09 00:31:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-09 00:30:21 0 d-------- C:\Program Files\Online Services
2008-03-09 00:30:12 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-08 18:22:56 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-08 18:22:53 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-08 18:22:32 62 --ahs---- C:\Documents and Settings\Mandy\Application Data\desktop.ini
2008-03-04 08:29:22 327680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll <Not Verified; ; Weather Channel Toolbar>
2008-03-04 08:25:36 98304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll <Not Verified; ; Weather Channel Toolbar BHO>
2008-02-25 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [03/23/2006 05:06 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 03:56 PM C:\WINDOWS\CTHELPER.EXE]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [09/24/2005 01:08 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 03:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [01/11/2008 05:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/6/2003 1:37:10 AM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 2:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [9/20/2006 10:17:10 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-27 15:56:08 ------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:37 PM

Posted 27 April 2008 - 04:32 PM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mandymershon

mandymershon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 27 April 2008 - 08:37 PM

Everything seems OK. The horrible nude girl popups have stopped (nice when my kid is playing on SesameStreet.com!) and the internet is running faster. Thanks so much for all your help!
Mandy

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:37 PM

Posted 28 April 2008 - 02:54 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:37 PM

Posted 03 May 2008 - 12:43 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users