Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.vundo Variant/resident


  • This topic is locked This topic is locked
18 replies to this topic

#1 kcasey

kcasey

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 14 May 2008 - 11:48 AM

Hi!

Hope you can help. My name is Kelly and I've been having the same problem for days now. (I have no idea how i got it.)

Have tried several programs to remove this Vundo. Tried ATF Cleaner, Vundofix, Super Antispyware, No lop, SDfix. Everytime I reconnect to the internet the Vundo reappers and my desktop icons and taskbar dissappear. AntiSpyWare finds the Vundo and deletes it then it comes back. SDfix found it and delete it and then it came back. Vundofix never found anything. NoLop did not find anything.

I found a thread on here about Unremovable Vundo Variant Virtumonde And Lop Etc (Thread t136511.html) and did all the steps but I'm still having the same problem. The Vundo keep reappearing everytime i reconnect to the internet. I have been only able to use Super Antispyware to remove it but like i said it just comes back when i reconnect to the interent.

Thank you

Kelly

Deckard's System Scanner v20071014.68
Run by KELLY CASEY on 2008-05-14 11:07:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-05-14 16:07:49 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2008-05-13 23:58:03 UTC - RP17 - Removed VERITAS Simple Backup
16: 2008-05-13 23:56:54 UTC - RP16 - Removed VERITAS RecordNow
15: 2008-05-13 17:58:51 UTC - RP15 - Software Distribution Service 3.0
14: 2008-05-13 02:12:08 UTC - RP14 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-05-12 23:28:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 11:10:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mcafee.com\Agent\Mcdetect.exe
C:\Program Files\mcafee.com\VSO\McShield.exe
C:\Program Files\mcafee.com\Agent\McTskshd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\KELLY CASEY\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {1E9D875E-0C69-473B-83B8-22701B0A919F} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {320FFAE9-1C3B-4648-AC21-482F85C9F644} - C:\WINDOWS\system32\khfDtRKc.dll (file missing)
O2 - BHO: (no name) - {6881E739-4F52-4FD4-A80A-C47D7A73A62F} - (no file)
O2 - BHO: (no name) - {88B280F9-5157-4686-8864-6B4A4C29FFE5} - C:\WINDOWS\system32\geBsrOFW.dll (file missing)
O2 - BHO: (no name) - {ABBEACB6-B231-4681-BE82-D448B81C1735} - C:\WINDOWS\system32\byXPIxvt.dll (file missing)
O2 - BHO: (no name) - {DB135DFA-BD53-431B-B673-F58B16C0DAD7} - C:\WINDOWS\system32\hgGayaaY.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\xxyvsSKA.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\mcafee.com\VSO\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} () - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} () - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} () - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} () - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - https://stores.musictoday.com/store/nugs.ne...NugsActiveX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} () - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyvsSKA - C:\WINDOWS\system32\xxyvsSKA.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\mcafee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 8858 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 cn2487 - c:\windows\system32\drivers\cn2487.sys <Not Verified; ACARD Technology Corp.; ACARD AEC6280 PCI ULTRA 133 IDE Controller>
R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 CX23880 (V-Stream 88XDV Video Capture) - c:\windows\system32\drivers\cx88vid.sys <Not Verified; Conexant Systems, Inc.; cx88vid.sys>
R2 CX88XBAR (V-Stream 88XDV Crossbar) - c:\windows\system32\drivers\cx88xbar.sys <Not Verified; Conexant Systems, Inc.; cx88xbar.sys>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 snpstd2 (USB PC Camera (SN9C103)) - c:\windows\system32\drivers\snpstd2.sys <Not Verified; ; PC Camera driver>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Not Verified; America Online, Inc.; Wan Miniport (ATW)>

S2 CXTUNE (Conexant TV88X Tuner) - c:\windows\system32\drivers\cx88tune.sys <Not Verified; Conexant Systems, Inc.; cx88tune.sys>
S2 MKEUSB01 (%MKEUSB01.SvcDesc%) - c:\windows\system32\drivers\mkeusb01.sys (file missing)
S3 catchme - c:\docume~1\kellyc~1\locals~1\temp\catchme.sys (file missing)
S3 DPCNET5U (Satellite USB Driver) - c:\windows\system32\drivers\dpcnet5u.sys (file missing)
S3 FVNETusb (Linksys Wireless-B USB Network Adapter v2.8 Driver) - c:\windows\system32\drivers\vnet58lx.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 ham50 (Intel V92 HaM Data Fax Voice) - c:\windows\system32\drivers\intelh51.sys <Not Verified; Intel Corporation; Intel® Hardware accelerated Modem Driver>
S3 mohfilt (MOH Filter) - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel; Filter Driver to Support Modem-on-Hold>
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 nuvaud2 (Pinnacle DVC 80 Audio) - c:\windows\system32\drivers\nuvaud2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 NUVision (Pinnacle DVC 80 Video) - c:\windows\system32\drivers\nuvvid2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 pgusbmme (usb-audio.de MME-Adapter) - c:\windows\system32\drivers\pgusbmm3.sys (file missing)
S3 pgusbwdm (usb-audio.de driver (commercial V2.5.8)) - c:\windows\system32\drivers\pgusbwdm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 GEARSecurity - system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\028DCF0A0000
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\028DCF0A0000
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A2A5C6D00356
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A2A5C6D00356
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-05-12 09:51:45 282 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-12 09:51:43 404 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2008-05-08 12:45:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 09:30:23 347 --ahs---- C:\WINDOWS\system32\tvxIPXyb.ini2
2008-05-14 07:03:45 0 d-------- C:\WINDOWS\ERUNT
2008-05-13 19:07:34 1173628 --ahs---- C:\WINDOWS\system32\cKRtDfhk.ini2
2008-05-13 18:53:58 212 --a------ C:\delete.bat
2008-05-13 16:15:30 0 d-------- C:\VundoFix Backups
2008-05-13 16:05:06 17362 --ahs---- C:\WINDOWS\system32\YaayaGgh.ini2
2008-05-13 13:09:21 347 --ahs---- C:\WINDOWS\system32\WFOrsBeg.ini2
2008-05-12 21:39:50 347 --ahs---- C:\WINDOWS\system32\gfPYyyay.ini2
2008-05-12 21:13:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 21:12:16 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 21:12:16 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\SUPERAntiSpyware.com
2008-05-12 21:11:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 18:28:08 5399 --ahs---- C:\WINDOWS\system32\VGgPoUvw.ini2
2008-05-12 18:26:12 52736 --a------ C:\WINDOWS\system32\cbXRKCTM.dll
2008-05-12 18:22:37 52736 --a------ C:\WINDOWS\system32\xxyvsSKA.dll
2008-05-12 15:27:13 0 d-------- C:\Program Files\IObit
2008-05-12 10:09:51 0 dr-h----- C:\Documents and Settings\KELLY CASEY\Recent
2008-05-12 10:03:21 0 d-------- C:\Program Files\Yahoo!
2008-05-12 09:51:48 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Uniblue
2008-05-10 13:44:54 0 d-------- C:\Program Files\BitTornado
2008-05-09 23:16:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-28 23:01:14 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-22 16:59:29 0 d-------- C:\Program Files\iPod
2008-04-22 16:59:06 0 d-------- C:\Program Files\iTunes
2008-04-22 16:58:44 0 d-------- C:\Program Files\Bonjour
2008-04-16 06:58:58 0 d-------- C:\Program Files\QuickTime
2008-04-16 06:54:28 0 d-------- C:\Program Files\Apple Software Update


-- Find3M Report ---------------------------------------------------------------

2008-05-13 18:58:19 0 d-------- C:\Program Files\VERITAS Software
2008-05-12 21:11:30 0 d-------- C:\Program Files\Common Files
2008-05-12 16:49:36 53 --a------ C:\biosinfo
2008-05-10 19:40:53 0 d-------- C:\Program Files\EPSON Print CD
2008-05-10 10:13:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 10:13:52 0 d-------- C:\Program Files\CyberLink
2008-05-10 09:02:08 0 d-------- C:\Program Files\Google
2008-05-10 08:37:34 0 d-------- C:\Program Files\Windows NT
2008-05-09 23:21:34 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-05 19:51:08 0 d-------- C:\Program Files\Furthur
2008-04-28 09:07:47 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Adobe
2008-04-28 09:07:44 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-31 12:00:22 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-31 11:59:02 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Real
2008-03-24 12:21:53 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Apple Computer
2008-03-24 12:20:01 0 d-------- C:\Program Files\Safari


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E9D875E-0C69-473B-83B8-22701B0A919F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320FFAE9-1C3B-4648-AC21-482F85C9F644}]
C:\WINDOWS\system32\khfDtRKc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6881E739-4F52-4FD4-A80A-C47D7A73A62F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88B280F9-5157-4686-8864-6B4A4C29FFE5}]
C:\WINDOWS\system32\geBsrOFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABBEACB6-B231-4681-BE82-D448B81C1735}]
C:\WINDOWS\system32\byXPIxvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB135DFA-BD53-431B-B673-F58B16C0DAD7}]
C:\WINDOWS\system32\hgGayaaY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
05/12/2008 06:22 PM 52736 --a------ C:\WINDOWS\system32\xxyvsSKA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 12:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 06:29 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"Remote_Agent"="C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe" [10/07/2002 10:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartBanner"=01000000
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\xxyvsSKA.dll [05/12/2008 06:22 PM 52736]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsSKA]
xxyvsSKA.dll 05/12/2008 06:22 PM 52736 C:\WINDOWS\system32\xxyvsSKA.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXPIxvt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background




-- End of Deckard's System Scanner: finished at 2008-05-14 11:12:24 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 511.48 MiB / 207.16 MiB
Pagefile Memory (total/avail): 2529.4 MiB / 2293.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.1 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.33 GiB total, 16.02 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
G: is Fixed (FAT32) - 465.65 GiB total, 386.34 GiB free.
H: is Fixed (NTFS) - 149.05 GiB total, 28.34 GiB free.
I: is CDROM (Unformatted)
J: is Fixed (NTFS) - 186.31 GiB total, 12.83 GiB free.
M: is Removable (No Media)

\\.\PHYSICALDRIVE0 - IC35L040AVER07-0 - 38.34 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.33 GiB - C:

\\.\PHYSICALDRIVE2 - ASSMANN Electronic GmbH AB-MED35COMBO-ALU IEEE 1394 SBP2 Device - 186.31 GiB - 1 partition
\PARTITION0 - Installable File System - 186.31 GiB - J:

\\.\PHYSICALDRIVE1 - ST316002 3A SS SCSI Disk Device - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - H:

\\.\PHYSICALDRIVE4 - EPSON Stylus Storage USB Device

\\.\PHYSICALDRIVE3 - SAMSUNG HD501LJ USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Unknown - 465.76 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:LocalSubNet:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\KELLY CASEY\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CASEY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\KELLY CASEY
LOGONSERVER=\\CASEY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\Sonic Shared\Ligos\GoMotion;C:\Program Files\Common Files\Sonic Shared\Ligos\Decoders;C:\Program Files\Common Files\Sonic Shared\MainConcept;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Sonic\MyDVD;C:\Program Files\etree.org\bin;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KELLYC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\KELLYC~1\LOCALS~1\Temp
USERDOMAIN=CASEY
USERNAME=KELLY CASEY
USERPROFILE=C:\Documents and Settings\KELLY CASEY
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

KELLY CASEY (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{510159FA-01C7-470F-B9EC-FF3653CD897C}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Deskbar --> "C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
ArcSoft ShowBiz --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2070269D-EC38-49E6-8E3E-46B36DA8AE96}\setup.exe" -l0x9 -uninst
ArcSoft Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
BitTornado 0.3.7 --> C:\Program Files\BitTornado\uninst.exe
BitTorrent 3.4.1 --> "C:\Program Files\BitTorrent\uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CD Wave Editor version 1.72 --> "C:\Program Files\CD Wave\unins000.exe"
ColorDesk Photo --> C:\WINDOWS\System32\COLOR\EFICOLOR\CloseApp.exe C:\WINDOWS\uninst.exe -f"C:\Program Files\ColorDesk Utilities\Photo\DeIsL1.isu"
Dazzle Photo Editor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39C5A3E0-31AF-11D6-830E-0050DABBB449}\setup.exe"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Accelerator Plus Beta --> C:\PROGRA~1\DAP\UNWISE.EXE C:\PROGRA~1\DAP\INSTALL.LOG
DVC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99B98440-4A0D-11D5-8310-0050DABBB21D}\Setup.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Rebuilder --> "C:\Program Files\DVD-RB\unins000.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EndItAll 2.0 --> "C:\Program Files\EndItAll\unins000.exe"
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\Setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Stylus Photo RX580 Scanner Driver Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CA2E5E4-F4FE-44B4-95E9-77523FB95838}\Setup.exe" -l0x9
EPSON Stylus Photo RX580 User's Guide --> C:\Program Files\epson\guide\sprx580_e\uninstall.exe
Exact Audio Copy 0.95b3 --> C:\Program Files\Exact Audio Copy\uninst.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
GearDrivers --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\System32\DeIsL1.isu -c"C:\WINDOWS\System32\\UNINSTALL\UninstWDM.dll"
GIFViewer --> C:\Program Files\DevelCor\GIFViewer\setup.exe /u:GIFViewer
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
Indeo® software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Uninst.isu" -c"C:\Program Files\Intel\Indeo\SavedSystemFiles\indounin.dll"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
md5check --> MsiExec.exe /I{D80C3D83-D048-4B06-88A2-5802E3D261D1}
MGI PhotoSuite 8.1 (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\PhotoSuite 8.1\Uninst.isu" -c"C:\Program Files\MGI\PhotoSuite 8.1\CustomUninstall.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
mkw Audio Compression Toolkit --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\Uninst.isu"
mkw Runtime Libraries --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Michael K. Weise\mkw Runtime Libraries\Uninst.isu"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Nero 7 Ultra Edition --> MsiExec.exe /X{99D328E0-51DE-465E-9307-B85CA9511033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerVCR II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0BA5720-E189-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roland UA-30 D-Out Smoother --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Roland\UA-30 D-Out Smoother\Uninst.isu"
Roxio CDEngine --> C:\WINDOWS\UNENG.EXE
Safari --> MsiExec.exe /I{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}
SEKD Red Roaster 24 V5.5 --> C:\SEKD\REDROA~1\UNINST~1.EXE /A C:\SEKD\RedRoaster\Install.log
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SmartFTP --> MsiExec.exe /I{11C762F9-95EA-486A-A8E7-683A50C231C1}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Studio Content CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C643986-DE3C-4737-8472-CCEC36CCC267}\Setup.exe" -l0x9
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SureThing CD Labeler - Stomper Edition 32 bit --> C:\WINDOWS\MVUNINST\App1\unwise.exe C:\WINDOWS\MVUNINST\APP1\INSTALL.LOG "SureThing CD Labeler - Stomper Edition Uninstall"
Trader's Little Helper 2.0.1 --> "C:\Program Files\Trader's Little Helper\Uninstall\unins000.exe"
Ulead DVD MovieFactory 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88F93347-0F9B-4FED-BA71-6C2A4CDFE61D}\setup.exe" -l0x9
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
USB PC Camera (SN9C103) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EADAA6F7-991F-4CE9-B5CE-FCF3D81F7C7D}\Setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Webcast --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{200E0DC2-2223-11D6-830E-0050DABBB449}\Setup.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type535 / Error
Event Submitted/Written: 05/14/2008 11:04:53 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application remoteagent.exe, version 3.0.0.2207, faulting module remoteagent.exe, version 3.0.0.2207, fault address 0x00001dad.
Processing media-specific event for [remoteagent.exe!ws!]

Event Record #/Type530 / Error
Event Submitted/Written: 05/14/2008 07:42:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application remoteagent.exe, version 3.0.0.2207, faulting module remoteagent.exe, version 3.0.0.2207, fault address 0x00001dad.
Processing media-specific event for [remoteagent.exe!ws!]

Event Record #/Type525 / Error
Event Submitted/Written: 05/13/2008 10:05:36 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application remoteagent.exe, version 3.0.0.2207, faulting module remoteagent.exe, version 3.0.0.2207, fault address 0x00001dad.
Processing media-specific event for [remoteagent.exe!ws!]

Event Record #/Type519 / Error
Event Submitted/Written: 05/13/2008 07:03:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application remoteagent.exe, version 3.0.0.2207, faulting module remoteagent.exe, version 3.0.0.2207, fault address 0x00001dad.
Processing media-specific event for [remoteagent.exe!ws!]

Event Record #/Type512 / Warning
Event Submitted/Written: 05/13/2008 06:53:50 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{8214CC02-6271-4DC8-B8DD-779933450264}', feature 'SoleFeature' failed during request for component '{22056900-C842-11D1-A0DD-00A0C9054277}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1847 / Error
Event Submitted/Written: 05/14/2008 11:11:07 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The GEARSecurity service has reported an invalid current state 0.

Event Record #/Type1834 / Error
Event Submitted/Written: 05/14/2008 11:04:11 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Conexant TV88X Tuner service failed to start due to the following error:
%%1058

Event Record #/Type1833 / Error
Event Submitted/Written: 05/14/2008 11:04:11 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The %MKEUSB01.SvcDesc% service failed to start due to the following error:
%%2

Event Record #/Type1832 / Error
Event Submitted/Written: 05/14/2008 11:04:11 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Genesys Logic USB Scanner Controller NT 5.0 service failed to start due to the following error:
%%2

Event Record #/Type1813 / Error
Event Submitted/Written: 05/14/2008 07:25:25 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Conexant TV88X Tuner service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-05-14 11:12:24 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 20 May 2008 - 12:36 PM

Hi Kelly,

I am SifuMike and I will be helping you. :thumbsup:

I found a thread on here about Unremovable Vundo Variant Virtumonde And Lop Etc (Thread t136511.html) and did all the steps but I'm still having the same problem. The Vundo keep reappearing everytime i reconnect to the internet. I have been only able to use Super Antispyware to remove it but like i said it just comes back when i reconnect to the interent.



It is a very bad idea to copy another persons thread, as each infections is unique. Malware experts taylor each fix to the specific infection in that log, so the fixes will not work on your computer.
SDFix is not ment to remove vundo, as you found out.


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



You need to disable your McAfee Antivirus before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT  It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 20 May 2008 - 12:41 PM.
fix spelling errors

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 21 May 2008 - 07:11 PM

Thanks so much for getting back to me.

Sorry for following that other thread.

Here is my combofix log:

ComboFix 08-05-21.2 - KELLY CASEY 2008-05-21 18:49:02.1 - NTFSx86
Running from: C:\Documents and Settings\KELLY CASEY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KELLY CASEY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\netia32.inf
C:\WINDOWS\system32\_000046_.tmp.dll
C:\WINDOWS\system32\cbXRKCTM.dll
C:\WINDOWS\system32\cKRtDfhk.ini
C:\WINDOWS\system32\cKRtDfhk.ini2
C:\WINDOWS\system32\dLUBayay.ini
C:\WINDOWS\system32\dLUBayay.ini2
C:\WINDOWS\system32\gfPYyyay.ini
C:\WINDOWS\system32\gfPYyyay.ini2
C:\WINDOWS\system32\tvxIPXyb.ini
C:\WINDOWS\system32\tvxIPXyb.ini2
C:\WINDOWS\system32\VGgPoUvw.ini
C:\WINDOWS\system32\VGgPoUvw.ini2
C:\WINDOWS\system32\WFOrsBeg.ini
C:\WINDOWS\system32\WFOrsBeg.ini2
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xxyvsSKA.dll
C:\WINDOWS\system32\YaayaGgh.ini
C:\WINDOWS\system32\YaayaGgh.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-14 11:05 . 2008-05-14 11:05 <DIR> d-------- C:\Deckard
2008-05-14 07:03 . 2008-05-14 07:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 07:02 . 2008-05-14 07:32 <DIR> d-------- C:\SDFix
2008-05-13 18:53 . 2008-05-13 19:17 212 --a------ C:\delete.bat
2008-05-13 16:15 . 2008-05-13 16:15 <DIR> d-------- C:\VundoFix Backups
2008-05-12 21:13 . 2008-05-12 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 21:12 . 2008-05-12 21:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 21:12 . 2008-05-12 21:12 <DIR> d-------- C:\Documents and Settings\KELLY CASEY\Application Data\SUPERAntiSpyware.com
2008-05-12 21:11 . 2008-05-12 21:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 17:00 . 2007-11-06 10:01 1,000,744 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2008-05-12 17:00 . 2007-11-05 17:25 642,048 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-05-12 15:27 . 2008-05-12 15:27 <DIR> d-------- C:\Program Files\IObit
2008-05-12 10:03 . 2008-05-12 10:03 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-12 09:51 . 2008-05-12 09:58 <DIR> d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Uniblue
2008-05-10 13:44 . 2008-05-10 13:45 <DIR> d-------- C:\Program Files\BitTornado
2008-05-10 08:37 . 2001-08-18 07:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-05-09 23:16 . 2008-05-09 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-09 13:33 . 2004-08-04 01:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-05-09 13:33 . 2004-08-04 01:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-28 20:13 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-22 16:59 . 2008-04-22 16:59 <DIR> d-------- C:\Program Files\iTunes
2008-04-22 16:59 . 2008-04-22 16:59 <DIR> d-------- C:\Program Files\iPod
2008-04-22 16:58 . 2008-04-22 16:58 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 23:58 --------- d-----w C:\Program Files\VERITAS Software
2008-05-11 00:40 --------- d-----w C:\Program Files\EPSON Print CD
2008-05-10 15:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 15:13 --------- d-----w C:\Program Files\CyberLink
2008-05-10 14:02 --------- d-----w C:\Program Files\Google
2008-05-10 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-05-10 04:21 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-09 18:13 90,112 ----a-w C:\WINDOWS\DUMP68e0.tmp
2008-05-06 00:51 --------- d-----w C:\Program Files\Furthur
2008-04-28 22:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-28 22:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 14:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-16 12:00 --------- d-----w C:\Program Files\QuickTime
2008-04-16 11:54 --------- d-----w C:\Program Files\Apple Software Update
2008-03-31 17:00 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-24 17:21 --------- d-----w C:\Documents and Settings\KELLY CASEY\Application Data\Apple Computer
2008-03-24 17:20 --------- d-----w C:\Program Files\Safari
2003-12-23 23:13 49,152 -csha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320FFAE9-1C3B-4648-AC21-482F85C9F644}]
C:\WINDOWS\system32\khfDtRKc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88B280F9-5157-4686-8864-6B4A4C29FFE5}]
C:\WINDOWS\system32\geBsrOFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABBEACB6-B231-4681-BE82-D448B81C1735}]
C:\WINDOWS\system32\byXPIxvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB135DFA-BD53-431B-B673-F58B16C0DAD7}]
C:\WINDOWS\system32\hgGayaaY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB69B6D9-D865-4575-8AAB-6943AB0E6E72}]
C:\WINDOWS\system32\yayaBULd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"Remote_Agent"="C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe" [2002-10-07 10:35 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIXL"= pclepixl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 17:45:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-12 14:51:45 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-12 14:51:43 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 19:00:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


folder error: C:\DOCUME~1\KELLYC~1\LOCALS~1\Temp\

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\mcafee.com\Agent\Mcdetect.exe
C:\PROGRA~1\mcafee.com\VSO\McShield.exe
C:\PROGRA~1\mcafee.com\Agent\McTskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\VSO\oasclnt.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\mcafee.com\VSO\McVSEscn.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-21 19:06:49 - machine was rebooted [KELLY CASEY]
ComboFix-quarantined-files.txt 2008-05-22 00:06:30

Pre-Run: 16,913,293,312 bytes free
Post-Run: 16,779,091,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

172 --- E O F --- 2008-05-13 18:00:57

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 21 May 2008 - 10:58 PM

Hi Kelly,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320FFAE9-1C3B-4648-AC21-482F85C9F644}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88B280F9-5157-4686-8864-6B4A4C29FFE5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABBEACB6-B231-4681-BE82-D448B81C1735}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB135DFA-BD53-431B-B673-F58B16C0DAD7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB69B6D9-D865-4575-8AAB-6943AB0E6E72}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 22 May 2008 - 07:44 PM

Here ya go. Thanks again



ComboFix 08-05-21.2 - KELLY CASEY 2008-05-22 19:23:14.2 - NTFSx86
Running from: C:\Documents and Settings\KELLY CASEY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KELLY CASEY\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-14 11:05 . 2008-05-14 11:05 <DIR> d-------- C:\Deckard
2008-05-14 07:03 . 2008-05-14 07:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 07:02 . 2008-05-14 07:32 <DIR> d-------- C:\SDFix
2008-05-13 18:53 . 2008-05-13 19:17 212 --a------ C:\delete.bat
2008-05-12 21:13 . 2008-05-12 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 21:12 . 2008-05-12 21:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 21:12 . 2008-05-12 21:12 <DIR> d-------- C:\Documents and Settings\KELLY CASEY\Application Data\SUPERAntiSpyware.com
2008-05-12 21:11 . 2008-05-12 21:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 17:00 . 2007-11-06 10:01 1,000,744 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2008-05-12 17:00 . 2007-11-05 17:25 642,048 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-05-12 15:27 . 2008-05-12 15:27 <DIR> d-------- C:\Program Files\IObit
2008-05-12 10:03 . 2008-05-12 10:03 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-12 09:51 . 2008-05-12 09:58 <DIR> d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Uniblue
2008-05-10 13:44 . 2008-05-10 13:45 <DIR> d-------- C:\Program Files\BitTornado
2008-05-10 08:37 . 2001-08-18 07:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-05-09 23:16 . 2008-05-09 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-09 13:33 . 2004-08-04 01:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-05-09 13:33 . 2004-08-04 01:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-28 20:13 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 23:58 --------- d-----w C:\Program Files\VERITAS Software
2008-05-11 00:40 --------- d-----w C:\Program Files\EPSON Print CD
2008-05-10 15:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 15:13 --------- d-----w C:\Program Files\CyberLink
2008-05-10 14:02 --------- d-----w C:\Program Files\Google
2008-05-10 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-05-10 04:21 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-09 18:13 90,112 ----a-w C:\WINDOWS\DUMP68e0.tmp
2008-05-06 00:51 --------- d-----w C:\Program Files\Furthur
2008-04-28 22:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-28 22:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 14:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-22 21:59 --------- d-----w C:\Program Files\iTunes
2008-04-22 21:59 --------- d-----w C:\Program Files\iPod
2008-04-22 21:58 --------- d-----w C:\Program Files\Bonjour
2008-04-16 12:00 --------- d-----w C:\Program Files\QuickTime
2008-04-16 11:54 --------- d-----w C:\Program Files\Apple Software Update
2008-03-31 17:00 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-24 17:21 --------- d-----w C:\Documents and Settings\KELLY CASEY\Application Data\Apple Computer
2008-03-24 17:20 --------- d-----w C:\Program Files\Safari
2003-12-23 23:13 49,152 -csha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_19.05.56.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 23:59:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 00:27:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"Remote_Agent"="C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe" [2002-10-07 10:35 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.PIXL"= pclepixl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 17:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-22 14:51:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-12 14:51:43 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 19:28:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\mcafee.com\Agent\Mcdetect.exe
C:\PROGRA~1\mcafee.com\VSO\McShield.exe
C:\PROGRA~1\mcafee.com\Agent\McTskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\VSO\oasclnt.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\mcafee.com\VSO\McVSEscn.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-22 19:36:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 00:35:44
ComboFix2.txt 2008-05-22 00:06:57

Pre-Run: 16,771,112,960 bytes free
Post-Run: 16,752,537,600 bytes free

137 --- E O F --- 2008-05-13 18:00:57




Deckard's System Scanner v20071014.68
Run by KELLY CASEY on 2008-05-22 19:37:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-22 19:38:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mcafee.com\Agent\Mcdetect.exe
C:\Program Files\mcafee.com\VSO\McShield.exe
C:\Program Files\mcafee.com\Agent\McTskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\mcafee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\mcafee.com\VSO\McVSEscn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\KELLY CASEY\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\mcafee.com\VSO\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} () - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} () - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} () - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - https://stores.musictoday.com/store/nugs.ne...NugsActiveX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} () - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\mcafee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\mcafee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 8178 bytes

-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-21 18:46:52 0 d-------- C:\cmdcons
2008-05-21 18:44:30 68096 --a------ C:\WINDOWS\zip.exe
2008-05-21 18:44:30 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-21 18:44:30 98816 --a------ C:\WINDOWS\sed.exe
2008-05-21 18:44:30 80412 --a------ C:\WINDOWS\grep.exe
2008-05-21 18:44:29 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-21 18:44:29 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-21 18:44:29 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-21 18:44:29 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-14 07:03:45 0 d-------- C:\WINDOWS\ERUNT
2008-05-13 18:53:58 212 --a------ C:\delete.bat
2008-05-12 21:13:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 21:12:16 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 21:12:16 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\SUPERAntiSpyware.com
2008-05-12 21:11:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 15:27:13 0 d-------- C:\Program Files\IObit
2008-05-12 10:09:51 0 dr-h----- C:\Documents and Settings\KELLY CASEY\Recent
2008-05-12 10:03:21 0 d-------- C:\Program Files\Yahoo!
2008-05-12 09:51:48 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Uniblue
2008-05-10 13:44:54 0 d-------- C:\Program Files\BitTornado
2008-05-09 23:16:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-28 23:01:14 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-22 16:59:29 0 d-------- C:\Program Files\iPod
2008-04-22 16:59:06 0 d-------- C:\Program Files\iTunes
2008-04-22 16:58:44 0 d-------- C:\Program Files\Bonjour


-- Find3M Report ---------------------------------------------------------------

2008-05-13 18:58:19 0 d-------- C:\Program Files\VERITAS Software
2008-05-12 21:11:30 0 d-------- C:\Program Files\Common Files
2008-05-12 16:49:36 53 --a------ C:\biosinfo
2008-05-10 19:40:53 0 d-------- C:\Program Files\EPSON Print CD
2008-05-10 10:13:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 10:13:52 0 d-------- C:\Program Files\CyberLink
2008-05-10 09:02:08 0 d-------- C:\Program Files\Google
2008-05-10 08:37:34 0 d-------- C:\Program Files\Windows NT
2008-05-09 23:21:34 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-05 19:51:08 0 d-------- C:\Program Files\Furthur
2008-04-28 09:07:47 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Adobe
2008-04-28 09:07:44 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-16 07:00:18 0 d-------- C:\Program Files\QuickTime
2008-04-16 06:54:30 0 d-------- C:\Program Files\Apple Software Update
2008-03-31 12:00:22 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-31 11:59:02 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Real
2008-03-24 12:21:53 0 d-------- C:\Documents and Settings\KELLY CASEY\Application Data\Apple Computer
2008-03-24 12:20:01 0 d-------- C:\Program Files\Safari


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 12:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 06:29 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"Remote_Agent"="C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe" [10/07/2002 10:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartBanner"=01000000
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background




-- End of Deckard's System Scanner: finished at 2008-05-22 19:38:52 ------------

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 22 May 2008 - 08:38 PM

Hi Kelly,

Your log looks much better. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} () - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} () - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 23 May 2008 - 10:29 AM

Thank You. I'll be out of town for the holiday. I'll get back with you on Tuesday

KC

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 23 May 2008 - 11:38 AM

Hi Kelly,

Have a great holiday! :thumbsup: See you Tuesday.

Edited by SifuMike, 23 May 2008 - 11:39 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 28 May 2008 - 07:01 AM

Sorry I can't seem to figure out which program I should use? I don't seem to have a "HijackThis" program.

Thank you.



>>Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} () - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} () - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 28 May 2008 - 07:29 AM

Hi kcasey,

This form the DSS instrucions:

4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.


Deckards System Scan should have put a Hijackthis icon on your desktop. Do you have one?
Did you do a file search for hijackthis.exe?


If you still dont have it, then please download and install the new version by following the instructions here: http://www.download.com/Trend-Micro-Hijack...4-10227353.html

Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 29 May 2008 - 06:59 AM

No i don't have hijackthis. Ran a search and nothing came up.

Tried following you link to install it and it came back "url not found"

>>>>If you still dont have it, then please download and install the new version by following the instructions here: http://www.download.com/Trend-Micro-Hijack...4-10227353.html <<<<

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 29 May 2008 - 10:25 AM

This link will work:
http://www.download.com/Trend-Micro-Hijack...cdlPid=10781312

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis

Edited by SifuMike, 29 May 2008 - 10:26 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 30 May 2008 - 03:37 PM

OK. I'll give this a try.

Thank you so much. I've been in and out all week and haven't had the time to keep up on this. Thanks for sticking with me.

KC

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:51 AM

Posted 31 May 2008 - 12:57 AM

That is OK, there is no rush. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kcasey

kcasey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 01 June 2008 - 11:35 AM

OK. Finally did the hijackthis and ccleaner. Compter appears to be running fine. I'll leave my internet connection enabled and see what happens.

Thank you, again.

heres's the log file from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:39 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1108408439\ee\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Remote_Agent] C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX580 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\DOCUME~1\KELLYC~1\LOCALS~1\Temp\E_S36.tmp" /EF "HKCU"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - https://stores.musictoday.com/store/nugs.ne...NugsActiveX.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6446 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users