Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task + Security Update Disabled And Blocked


  • This topic is locked This topic is locked
14 replies to this topic

#1 Geek7

Geek7

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 06 June 2008 - 04:07 PM

I have frequent pop ups.. I'm constantly being redirected to different sites when I click on links.. Windows security system keeps saying I have a virus and if I click it, it brings me to an advertisement.. there's a little system warning icon that if I click it brings me to a an advertsement.. When I try to use task manager it says it is disabled.. When I try to update my computer errors pop up and it refuses to let me turn on automatic updates.. I can't change my background and it's stuck as a system warning with a link that yet again brings me to an advertisement..

I really don't know what I'm doing.. So, if you would please guide me through every little step, thank you.


~Whatever you need, tell me.

Here's the HiJackThis log.. I think I'm suppose to post =/



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:05 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\444.470
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\mrofinu1188.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Compaq_Owner\lsass.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PPStream\ppsap.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\U5S8C9FT\hijackthis[1].exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2A792058-978E-4F35-AFF6-441E36B2F78E} - C:\WINDOWS\system32\xxyyaWnl.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {246d3216-7849-7079-e1c4-eef698e2bb59} - {95bb2e89-6fee-4c1e-9707-94876123d642} - C:\WINDOWS\system32\npecsahq.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B50149A3-0292-469E-B95D-094D435A866e} - C:\WINDOWS\system32\plkugnka.dll (file missing)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973} - C:\WINDOWS\system32\ciod.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E8FA0CE0-BDAA-4E34-87F5-3B6D8217A0DA} - C:\WINDOWS\system32\khfCrpNh.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Compaq_Owner\lsass.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BMc388a54a] Rundll32.exe "C:\WINDOWS\system32\jktsoejx.dll",s
O4 - HKLM\..\Run: [c0bb96d6] rundll32.exe "C:\WINDOWS\system32\hkcnkfkp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\Program Files\Common Files\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1109/SDD2MS.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176481952078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: khfCrpNh - C:\WINDOWS\SYSTEM32\khfCrpNh.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O20 - Winlogon Notify:  -  (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11957 bytes

BC AdBot (Login to Remove)

 


m

#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 07 June 2008 - 04:05 PM

Hello Geek7 :) Welcome to the BC HijackThis Log and Analysis forum.. I will be assisting you and will need some time to look over your log.


Please advice me of any programs you have already ran to try and fix the problems you have encountered. I would also

ask that you refrain from running any tools other than those we will ask you to while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Since all of our helpers are volunteers and we are really busy I may be a little slow getting back to you, but don't despair as I won't forget. :thumbsup:

In the meantime please do the following:




Edit: I noticed you are running HJT from a temporary folder. This is not a good idea because we could lose backup info that we may need. Since DSS will download HJT, before you do the install on it go to Add/Remove Programs and delete the version you have and we will let DSS install a new version. Be sure all instances of HJT are removed by going to Start>>Search and do a search for HJT. Delete any instances you find.





Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.






Thanks,



thewall

Edited by thewall, 07 June 2008 - 04:26 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Geek7

Geek7
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 07 June 2008 - 07:26 PM

I have done multiple scans/removals with Windows Defender, Malwarebytes' Anti-Malware and SmitfruadFix. That's about it.



Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-06-07 19:54:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
83: 2008-06-07 23:55:01 UTC - RP418 - Deckard's System Scanner Restore Point
82: 2008-06-07 17:21:57 UTC - RP417 - System Checkpoint
81: 2008-06-06 16:37:01 UTC - RP416 - Windows Defender Checkpoint
80: 2008-06-06 09:47:53 UTC - RP415 - Installed Windows Defender
79: 2008-06-05 12:11:34 UTC - RP414 - Last known good configuration


-- First Restore Point --
1: 2008-06-05 12:10:30 UTC - RP336 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-07 19:57:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PPStream\PPSAP.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F0 - win.ini: load=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\iftuyszv.exe,
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\Program Files\iWin Games\iWinGamesHookIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {246d3216-7849-7079-e1c4-eef698e2bb59} - {95bb2e89-6fee-4c1e-9707-94876123d642} - C:\WINDOWS\system32\npecsahq.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B50149A3-0292-469E-B95D-094D435A866e} - C:\WINDOWS\system32\plkugnka.dll (file missing)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CA05DF22-4CB9-4396-956D-E6B6B7F400D4} - C:\WINDOWS\system32\ciod.dll
O2 - BHO: (no name) - {CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973} - C:\WINDOWS\system32\ciod.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {D5DEF29A-ECF6-4D6C-A8A8-3440D850336E} - C:\WINDOWS\system32\ciod.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\Program Files\Common Files\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: https://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: https://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: https://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://hollywoodfiles.tv (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/b...heckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1109/SDD2MS.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176481952078
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\system32\winmbj32.dll (file missing)
O20 - Winlogon Notify:  - C:\WINDOWS\system32\ (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 12641 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 bb-run (Promise driver accelerator) - c:\windows\system32\drivers\bb-run.sys <Not Verified; Promise Technology, Inc.; Promise Disk Accelerator>
R0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S1 crusoee - c:\windows\system32\drivers\crusoee.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S1 lanmandrv - c:\windows\system32\lanmandrv.sys (file missing)
S3 BOCDRIVE (BOClean Kernel Monitor.) - c:\program files\comodo\cboclean\bocdrive.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 08:21:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-05 09:00:01 386 --a------ C:\WINDOWS\Tasks\rpc.job
2008-03-17 20:29:18 356 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1197941289.job
2006-05-20 14:23:37 356 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1136286398.job


-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 08:20:14 13056 --a------ C:\WINDOWS\y.exe
2008-06-07 08:20:14 16128 --a------ C:\WINDOWS\x.exe
2008-06-07 08:20:14 21248 --a------ C:\WINDOWS\svchost32.exe
2008-06-07 08:20:14 23040 --a------ C:\WINDOWS\loader.exe
2008-06-07 08:20:13 24576 --a------ C:\WINDOWS\internet.exe
2008-06-07 08:20:13 8192 --a------ C:\WINDOWS\iexplorer.exe
2008-06-07 08:20:13 9984 --a------ C:\WINDOWS\explore.exe
2008-06-06 23:24:54 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-06-06 23:24:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 23:24:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 16:52:19 93184 -----n--- C:\WINDOWS\system32\hkcnkfkp.dll
2008-06-06 16:49:18 108544 --a------ C:\WINDOWS\system32\npecsahq.dll
2008-06-06 12:07:42 30208 --a------ C:\WINDOWS\xplugin.dll
2008-06-06 12:07:39 29184 --a------ C:\WINDOWS\winmgnt.exe
2008-06-06 12:07:34 30464 --a------ C:\WINDOWS\window.exe
2008-06-06 12:07:30 13312 --a------ C:\WINDOWS\winajbm.dll
2008-06-06 12:07:29 24576 --a------ C:\WINDOWS\win64.exe
2008-06-06 12:07:28 26368 --a------ C:\WINDOWS\win32e.exe
2008-06-06 12:07:26 17920 --a------ C:\WINDOWS\waol.exe
2008-06-06 12:07:26 23552 --a------ C:\WINDOWS\users32.exe
2008-06-06 12:07:25 17152 --a------ C:\WINDOWS\time.exe
2008-06-06 12:07:24 26368 --a------ C:\WINDOWS\systemcritical.exe
2008-06-06 12:07:22 16128 --a------ C:\WINDOWS\systeem.exe
2008-06-06 12:07:22 24320 --a------ C:\WINDOWS\olehelp.exe
2008-06-06 12:07:21 17664 --a------ C:\WINDOWS\notepad32.exe
2008-06-06 12:07:20 27904 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-06 12:07:18 30720 --a------ C:\WINDOWS\cpan.dll
2008-06-06 12:07:16 27904 --a------ C:\WINDOWS\clrssn.exe
2008-06-06 12:07:13 32000 --a------ C:\WINDOWS\avpcc.dll
2008-06-06 12:07:07 29184 --a------ C:\WINDOWS\accesss.exe
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\SendTo
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\PrintHood
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\NetHood
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-06 12:01:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-06 12:01:59 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-06 12:01:57 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-06 08:05:51 0 d-------- C:\WINDOWS\system32\4674
2008-06-06 08:05:48 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 05:48:03 0 d-------- C:\Program Files\Windows Defender
2008-06-06 05:43:48 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 11:04:53 0 d-------- C:\WINDOWS\system32\vntiho18
2008-06-05 08:20:54 28928 --a------ C:\WINDOWS\svcinit.exe
2008-06-05 08:20:52 29952 --a------ C:\WINDOWS\sistem.exe
2008-06-05 08:20:52 28672 --a------ C:\WINDOWS\searchword.dll
2008-06-05 08:20:51 11776 --a------ C:\WINDOWS\rundll16.exe
2008-06-05 08:20:51 14592 --a------ C:\WINDOWS\quicken.exe
2008-06-05 08:20:50 28160 --a------ C:\WINDOWS\qttasks.exe
2008-06-05 08:20:50 25088 --a------ C:\WINDOWS\mswsc20.dll
2008-06-05 08:20:49 8448 --a------ C:\WINDOWS\mswsc10.dll
2008-06-05 08:20:49 28416 --a------ C:\WINDOWS\msupdate.exe
2008-06-05 08:20:49 27392 --a------ C:\WINDOWS\mssys.exe
2008-06-05 08:20:48 15104 --a------ C:\WINDOWS\msspi.dll
2008-06-05 08:20:48 9472 --a------ C:\WINDOWS\msconfd.dll
2008-06-05 08:20:47 8704 --a------ C:\WINDOWS\inetinf.exe
2008-06-05 08:20:46 12032 --a------ C:\WINDOWS\iedll.exe
2008-06-05 08:20:46 29696 --a------ C:\WINDOWS\helpcvs.exe
2008-06-05 08:20:46 16896 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-05 08:20:46 12032 --a------ C:\WINDOWS\funny.exe
2008-06-05 08:20:45 14848 --a------ C:\WINDOWS\funniest.exe
2008-06-05 08:20:45 8960 --a------ C:\WINDOWS\explorer32.exe
2008-06-05 08:20:45 17664 --a------ C:\WINDOWS\editpad.exe
2008-06-05 08:20:45 32000 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-05 08:20:44 14848 --a------ C:\WINDOWS\directx32.exe
2008-06-05 08:20:44 17408 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-05 08:20:43 15616 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-05 08:10:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-05 08:09:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Sun
2008-06-05 08:08:55 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-06-05 08:06:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-05 08:05:58 0 d--hs---- C:\WINDOWS\VmlyZ2luaWEgU2F2aW8
2008-06-05 08:05:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-05 08:05:37 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-05 08:05:35 87513 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>
2008-06-05 08:05:35 401972 --a------ C:\WINDOWS\system32\g0.exe
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\xrem
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\NMP
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\inet2
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\expo
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\btz
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\105772
2008-06-05 08:05:15 0 d-------- C:\WINDOWS\system32\vntiho05


-- Find3M Report ---------------------------------------------------------------

2008-06-06 14:39:47 0 d-------- C:\Program Files\PPStream
2008-06-06 14:38:50 0 d-------- C:\Program Files\Common Files
2008-06-06 12:54:36 269 --a------ C:\Program Files\Common Files\lavufave
2008-06-06 12:06:44 3080 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-06 11:57:44 21194 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-06-06 10:12:47 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-06-04 21:52:33 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-05-11 13:38:36 0 d-------- C:\Program Files\PPMate
2008-05-11 11:36:25 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-05-04 20:25:31 0 d-------- C:\Program Files\LimeWire
2008-05-04 16:25:23 0 d-------- C:\Program Files\MySpace
2008-04-26 05:41:52 142 --a------ C:\Program Files\Common Files\profsysypru.html
2008-04-13 10:42:22 0 d-------- C:\Program Files\iWin.com
2008-04-13 10:25:01 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
03/05/2008 08:48 AM 78848 --a------ C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95bb2e89-6fee-4c1e-9707-94876123d642}]
06/06/2008 04:49 PM 108544 --a------ C:\WINDOWS\system32\npecsahq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50149A3-0292-469E-B95D-094D435A866e}]
C:\WINDOWS\system32\plkugnka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA05DF22-4CB9-4396-956D-E6B6B7F400D4}]
03/04/2008 01:50 PM 98048 --a------ C:\WINDOWS\system32\ciod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973}]
03/04/2008 01:50 PM 98048 --a------ C:\WINDOWS\system32\ciod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5DEF29A-ECF6-4D6C-A8A8-3440D850336E}]
03/04/2008 01:50 PM 98048 --a------ C:\WINDOWS\system32\ciod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 01:34 AM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [01/12/2007 09:48 PM]
"VX3000"="C:\WINDOWS\vVX3000.exe" [12/05/2006 07:38 PM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/23/2007 12:55 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [01/17/2008 02:48 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"MSI Configuration"="msiconf.exe" []
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 07:27 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=C:\Program Files\Common Files\svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmbj32]
winmbj32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2008-06-07 19:57:59 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3200+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 702.48 MiB / 347.37 MiB
Pagefile Memory (total/avail): 1718.51 MiB / 1424.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.6 MiB

C: is Fixed (NTFS) - 68.02 GiB total, 26.89 GiB free.
D: is Fixed (FAT32) - 6.5 GiB total, 1.45 GiB free.
E: is CDROM (Unformatted)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 6.51 GiB - D:
\PARTITION1 (bootable) - Installable File System - 68.02 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
FirewallDisableNotify is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\DOCUME~1\\COMPAQ~1\\LOCALS~1\\Temp\\win44.tmp.exe"="C:\\DOCUME~1\\COMPAQ~1\\LOCALS~1\\Temp\\win44.tmp.exe:*:Enabled:win44.tmp"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\tnameserv.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\tnameserv.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmid.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmid.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmiregistry.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmiregistry.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\orbd.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\orbd.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"="C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe:*:Enabled:civserver"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\ShadowFlare\\ShadowFlare.exe"="C:\\Program Files\\ShadowFlare\\ShadowFlare.exe:*:Enabled:ShadowFlare"
"C:\\Program Files\\Freeciv-2.1.0-gtk2\\civserver.exe"="C:\\Program Files\\Freeciv-2.1.0-gtk2\\civserver.exe:*:Enabled:civserver"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPS"
"C:\\Program Files\\PPStream\\PPSAP.exe"="C:\\Program Files\\PPStream\\PPSAP.exe:*:Enabled:PPS "
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\ijji\\ENGLISH\\u_gbound.exe"="C:\\ijji\\ENGLISH\\u_gbound.exe:*:Enabled:<ijji Downloader>"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
"C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SAVIO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\SAVIO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=SAVIO
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Ambush Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins001.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Chaos Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins009.exe"
Compaq Connections (remove only) --> C:\WINDOWS\HPCPCUninstall-5577497\HPBWSetup.exe -appid 5577497 -uninstall
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -IAsu200Ck.inf
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Fireworks Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins005.exe"
Flamethrower Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins002.exe"
FotoSketcher 1.3 --> "C:\Program Files\FotoSketcher 1.3\unins000.exe"
GIMP 2.4.4 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Gold Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins006.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Gravity Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins010.exe"
GTK+ 2.10.6-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1100 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1100 series --> MsiExec.exe /X{01161F64-6897-4885-93A0-A9F7BE9A4253}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
ijji Auto Installer --> "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
iWin Games (remove only) --> "C:\Program Files\iWin Games\Uninstall.exe"
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190001_9eab2\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Magic Match Adventures (remove only) --> "C:\Program Files\iWin.com\Magic Match Adventures\Uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
ManyCam 2.1 (remove only) --> "C:\Program Files\ManyCam 2.1\uninstall.exe"
Meteor Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins004.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft LifeCam --> MsiExec.exe /X{06C32EA0-4A22-4919-979A-8700715865B8}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MONOPOLY HERE & NOW EDITION --> "C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\MONOPOLY HERE & NOW EDITION.rguninst"
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
Nuke Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins003.exe"
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Power Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins007.exe"
PPMate Network TV 2.3.1.76 --> C:\Program Files\PPMate\uninst.exe
PPStream --> C:\Program Files\PPStream\uninst.exe
Pro Media Director Version 1.1.1.1 --> "C:\Program Files\Pelican Performance\Pro Media Director\unins000.exe"
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealArcade --> "c:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "c:\Program Files\RealArcade\Installer\installerMain.clf" "c:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst"
Rhymesaurus --> MsiExec.exe /I{D111B077-3083-4F11-8BE8-31C1BB86872D}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Snowball Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins011.exe"
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Super Pack v1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins008.exe"
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Wal-Mart Digital Photo Manager --> MsiExec.exe /X{C94C253C-069F-4C02-8E5B-C1D056827643}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Wisdom-soft AutoScreenRecorder 2.1 Pro --> C:\PROGRA~1\WISDOM~1\UNWISE.EXE C:\PROGRA~1\WISDOM~1\INSTALL.LOG
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Yahtzee Download Edition --> "c:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "c:\Program Files\RealArcade\Installer\installerMain.clf" "c:\Program Files\RealArcade\Installer\uninstall\Yahtzee Download Edition.rguninst"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6395 / Warning
Event Submitted/Written: 06/07/2008 08:17:11 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6388 / Warning
Event Submitted/Written: 06/07/2008 00:04:31 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6380 / Warning
Event Submitted/Written: 06/06/2008 11:46:07 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6370 / Warning
Event Submitted/Written: 06/06/2008 07:51:19 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6362 / Warning
Event Submitted/Written: 06/06/2008 05:24:45 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9238 / Warning
Event Submitted/Written: 06/07/2008 07:57:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SAVIO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SAVIO27 can't undo changes that you allow.

For more information please see the following:
%SAVIO275

Scan ID: {836D637B-00EF-45E0-8A87-4634ED889DF6}

User: SAVIO\Compaq_Owner

Name: %SAVIO271

ID: %SAVIO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SAVIO276

Alert Type: %SAVIO278

Detection Type: 1.1.1593.02

Event Record #/Type9237 / Warning
Event Submitted/Written: 06/07/2008 07:57:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SAVIO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SAVIO27 can't undo changes that you allow.

For more information please see the following:
%SAVIO275

Scan ID: {C52A1D78-95FC-4061-9825-C1B7A256DEE3}

User: SAVIO\Compaq_Owner

Name: %SAVIO271

ID: %SAVIO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SAVIO276

Alert Type: %SAVIO278

Detection Type: 1.1.1593.02

Event Record #/Type9236 / Warning
Event Submitted/Written: 06/07/2008 07:57:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SAVIO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SAVIO27 can't undo changes that you allow.

For more information please see the following:
%SAVIO275

Scan ID: {583F317D-20BF-4939-8B38-1A6DBAD1F03C}

User: SAVIO\Compaq_Owner

Name: %SAVIO271

ID: %SAVIO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SAVIO276

Alert Type: %SAVIO278

Detection Type: 1.1.1593.02

Event Record #/Type9235 / Warning
Event Submitted/Written: 06/07/2008 07:57:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SAVIO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SAVIO27 can't undo changes that you allow.

For more information please see the following:
%SAVIO275

Scan ID: {D9D068D4-9DC4-4259-AF8D-B139664653B0}

User: SAVIO\Compaq_Owner

Name: %SAVIO271

ID: %SAVIO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SAVIO276

Alert Type: %SAVIO278

Detection Type: 1.1.1593.02

Event Record #/Type9234 / Warning
Event Submitted/Written: 06/07/2008 07:57:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SAVIO27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SAVIO27 can't undo changes that you allow.

For more information please see the following:
%SAVIO275

Scan ID: {E6A17AB3-F107-47E0-8982-3E88323E1FF6}

User: SAVIO\Compaq_Owner

Name: %SAVIO271

ID: %SAVIO272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SAVIO276

Alert Type: %SAVIO278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-06-07 19:57:59 ------------

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 10 June 2008 - 06:47 AM

Hello again Geek7


One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet except for what is needed to carry out this fix. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

For the time being I will proceed on the assumption you wish to clean up your computer. If you do not and would rather reformat or reinstall let me know in your next reply.



I see that your are using a P2P program called PPStream. I must warn you against the use of these programs as they can be sources of infection on your machine. Please read the following article found here put out by the U.S. Government concerning them and the risks which are associated with their use. If you choose to keep it I would ask that you refrain from it's use during the duration of our fix so there is not a reoccurence of infection while we are trying to clean up your computer


1) You will need to temporarily disable your Windows Defender. It may interfere with out fixes. To do so please perform the following:

* Click Start > Programs > Windows Defender or launch from the system tray icon.
* Click on Tools & Settings > Options.
* Under Real-time protection options, uncheck the "Real-time protection" check box.
* Click Save.
* Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
* (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)





2)We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.




3) Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "iWinGamesInstaller". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Now do the same for this service: "MsSecurity Updated " and "Plug and Play".




4) Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).



F3 - REG:win.ini: load=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2A792058-978E-4F35-AFF6-441E36B2F78E} - C:\WINDOWS\system32\xxyyaWnl.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: {246d3216-7849-7079-e1c4-eef698e2bb59} - {95bb2e89-6fee-4c1e-9707-94876123d642} - C:\WINDOWS\system32\npecsahq.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {B50149A3-0292-469E-B95D-094D435A866e} - C:\WINDOWS\system32\plkugnka.dll (file missing)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973} - C:\WINDOWS\system32\ciod.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Compaq_Owner\lsass.exe
O4 - HKLM\..\Run: [BMc388a54a] Rundll32.exe "C:\WINDOWS\system32\jktsoejx.dll",s
O4 - HKLM\..\Run: [c0bb96d6] rundll32.exe "C:\WINDOWS\system32\hkcnkfkp.dll",b
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\Program Files\Common Files\svchost.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: https://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: https://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: https://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://hollywoodfiles.tv (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: khfCrpNh - C:\WINDOWS\SYSTEM32\khfCrpNh.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O20 - Winlogon Notify: (file missing)
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe



Then close all windows except HijackThis and click Fix Checked.

Restart your computer





Thanks,



thewall

Edited by thewall, 10 June 2008 - 03:29 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Geek7

Geek7
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 10 June 2008 - 03:45 PM

Everything is running perfect now. THANK YOU! :thumbsup:

There was a little scare where my audio wasn't working.. but after like 30 mins to an hour it just magically turned on and has been working ever since. :)

~You're the best. :)

Oh, and the logs you wanted to check are just below.



ComboFix 08-06-09.7 - Compaq_Owner 2008-06-10 15:21:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.428 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Compaq_Owner\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
C:\Documents and Settings\Compaq_Owner\Application Data\Adssite Advanced Toolbar\selected.xml
C:\Documents and Settings\Compaq_Owner\Application Data\ASKS~1
C:\Documents and Settings\Compaq_Owner\Application Data\FunWebProducts
C:\Program Files\Adssite Advanced Toolbar
C:\Program Files\Common Files\{C0BB9~1
C:\Program Files\MalwareWiped 6.9
C:\Program Files\MalwareWiped 6.9\ignorelist.dat
C:\Program Files\MalwareWiped 6.9\malwarewipe.ini
C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BMc388a54a.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\IA
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\4674\24630.dll
C:\WINDOWS\system32\eslyeewa.ini
C:\WINDOWS\system32\hkcnkfkp.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\onglkmkb.ini
C:\WINDOWS\system32\pavunryv.ini
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.bak2
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\uttss.tmp
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_lanmandrv


((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-10 11:15 . 2008-06-10 11:15 2,855 --a------ C:\WINDOWS\rundll16.PIF
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Uniblue
2008-06-07 19:54 . 2008-06-07 19:54 <DIR> d-------- C:\Deckard
2008-06-06 23:24 . 2008-06-06 23:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 23:24 . 2008-06-06 23:24 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-06-06 23:24 . 2008-06-06 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 23:24 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 23:24 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 12:02 . 2005-08-08 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-06 12:02 . 2005-08-08 18:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-06 12:01 . 2005-08-08 18:50 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-06 12:01 . 2005-08-08 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-06 12:01 . 2005-08-08 18:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-06 12:01 . 2008-06-06 12:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-06 08:05 . 2008-06-10 15:24 <DIR> d-------- C:\WINDOWS\system32\4674
2008-06-06 08:05 . 2008-06-06 08:05 55,808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 05:43 . 2008-06-06 05:43 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 11:04 . 2008-06-05 11:04 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-06-05 08:08 . 2008-06-05 08:08 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-05-20 17:13 . 2008-05-20 17:13 32,768 --a------ C:\WINDOWS\system32\vntiho18\vntiho182328.exe
2008-05-10 10:06 . 2008-06-06 23:47 268 --ah----- C:\sqmdata19.sqm
2008-05-10 10:06 . 2008-06-06 23:47 244 --ah----- C:\sqmnoopt19.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 17:43 --------- d-----w C:\Program Files\iWin Games
2008-06-10 14:51 --------- d-----w C:\Program Files\RealArcade
2008-06-10 14:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-06-10 10:45 21,374 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-06-08 01:58 --------- d-----w C:\Program Files\PPStream
2008-06-06 16:54 269 ----a-w C:\Program Files\Common Files\lavufave
2008-06-06 16:06 3,080 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-05 12:05 87,513 ----a-w C:\WINDOWS\system32\iftuyszv.exe
2008-06-05 12:05 401,972 ----a-w C:\WINDOWS\system32\g0.exe
2008-06-05 01:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-05-11 17:38 --------- d-----w C:\Program Files\PPMate
2008-05-11 15:36 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-05-06 15:03 98,292 ----a-w C:\WINDOWS\b149.exe.bin
2008-05-05 00:25 --------- d-----w C:\Program Files\LimeWire
2008-05-04 20:25 --------- d-----w C:\Program Files\MySpace
2008-04-26 09:41 142 ----a-w C:\Program Files\Common Files\profsysypru.html
2008-04-18 20:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Friends Games
2008-04-13 14:42 --------- d-----w C:\Program Files\iWin.com
2008-04-13 14:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst
2008-04-13 14:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-18 14:35 14 ----a-w C:\Documents and Settings\Compaq_Owner\getfile.dat
2006-09-11 14:00 261 -c-ha-w C:\Program Files\hpothb07.tif
2006-09-11 14:00 153 -c-ha-w C:\Program Files\hpothb07.dat
2006-09-11 14:00 0 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
.

------- Sigcheck -------

2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-02-16 18:01 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95bb2e89-6fee-4c1e-9707-94876123d642}]
C:\WINDOWS\system32\npecsahq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50149A3-0292-469E-B95D-094D435A866e}]
C:\WINDOWS\system32\plkugnka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA05DF22-4CB9-4396-956D-E6B6B7F400D4}]
C:\WINDOWS\system32\ciod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973}]
C:\WINDOWS\system32\ciod.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5DEF29A-ECF6-4D6C-A8A8-3440D850336E}]
C:\WINDOWS\system32\ciod.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 12:55 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-01-17 02:48 171168]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpyEmergency"="C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergency.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 20:50 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48 275800]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-12-05 19:38 707360]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmbj32]
winmbj32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.444p"= C:\Program Files\t@b\0.958\686\tabdec.dll
"midi1"= dosx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\tnameserv.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmid.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\orbd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38270:TCP"= 38270:TCP:@xpsp2res.dll,-22005
"44821:TCP"= 44821:TCP:@xpsp2res.dll,-22005
"33208:TCP"= 33208:TCP:@xpsp2res.dll,-22005
"36631:TCP"= 36631:TCP:@xpsp2res.dll,-22005

R2 iWinGamesInstaller;iWinGamesInstaller;C:\Program Files\iWin Games\iWinGamesInstaller.exe [2008-03-05 08:49]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2007-03-22 08:17]
S1 crusoee;crusoee;C:\WINDOWS\system32\drivers\crusoee.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2006-05-20 18:23:37 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1136286398.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-18 00:29:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1197941289.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-05 13:00:01 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 15:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-10 15:37:05 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-06-10 19:37:01

Pre-Run: 28,643,033,088 bytes free
Post-Run: 28,587,814,912 bytes free

296 --- E O F --- 2008-05-28 13:09:31




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:26 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CA05DF22-4CB9-4396-956D-E6B6B7F400D4} - C:\WINDOWS\system32\ciod.dll (file missing)
O2 - BHO: (no name) - {D5DEF29A-ECF6-4D6C-A8A8-3440D850336E} - C:\WINDOWS\system32\ciod.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpyEmergency] C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergency.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1109/SDD2MS.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176481952078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7810 bytes

Edited by Geek7, 11 June 2008 - 12:17 PM.


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 11 June 2008 - 04:36 PM

Everything is running perfect now. THANK YOU!

There was a little scare where my audio wasn't working.. but after like 30 mins to an hour it just magically turned on and has been working ever since. tongue.gif

~You're the best.




Thank you! We have a team here that is very supportive of the ones who are still in training such as myself. They are working behind the scenes to insure that everything is put together correctly for the fixes.

There are still some things that we need to take care of so hang in here with me while I look over the logs you posted. We want to make sure that we have all the baddies because if they are still present somewhere on the machine it's only a matter of time before they will show up again.

I'll be back with you just as soon as I peruse what you have posted and put together the next thing we need to do.


Thanks, :thumbsup:

thewall

Edited by thewall, 11 June 2008 - 04:41 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Geek7

Geek7
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 14 June 2008 - 02:17 PM

Alrighty then!

Good luck with the training, by the way.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 20 June 2008 - 05:37 AM

Hello Geek7, I apologize for the delay. Some technical difficulties hampered us which slowed up our working on your fix.


There's still some things we need to do in the cleaning process, so here's what's next:



1) Close any open browsers.

2) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3) Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\g0.exe
C:\WINDOWS\b149.exe.bin
C:\Program Files\Common Files\profsysypru.html
C:\WINDOWS\rundll16.PIF
C:\Program Files\iWin.com
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\system32\drivers\crusoee.sys

Folder::
C:\WINDOWS\system32\vntiho18
C:\Program Files\iWin Games
C:\Program Files\Common Files\lavufave

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95bb2e89-6fee-4c1e-9707-94876123d642}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50149A3-0292-469E-B95D-094D435A866e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA05DF22-4CB9-4396-956D-E6B6B7F400D4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBA1D8A6-76F8-4094-9EAD-4EDF13FF6973}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5DEF29A-ECF6-4D6C-A8A8-3440D850336E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmbj32]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
"Uniblue RegistryBooster 2"=-
"SpyEmergency"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SNM"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmbj32]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iWin Games\\iWinGames.exe"=-
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




4) Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.





5) Jotti File Submission:
  • Please go to Jotti's malware scan http://virusscan.jotti.org/
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • dosx.dll
  • Click on the submit button
  • Please post the results in your next reply.

Go here:Jotti
Using the 'Browse' button,browse to:
c:\windows\system32\dosx.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
Virus Total
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\dvdplay.exe
Then click on 'Send'.
Post the results into your next reply.




Please post both logs in your next reply as well as letting me know of any changes on your computer.




Thanks,




thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Geek7

Geek7
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 June 2008 - 12:34 PM

My computer hasn't changed.. that I know of.. It's a family computer, so if anyone downloaded anything, I wasn't aware of it.

I couldn't get the log for the dosx.dll or dvdplay.exe...

Niether website would work.. it said the file was 0kb or the file didn't exist... and I tried to search for it in my computer and the file wasn't detected.

I put in the two logs.. and then after that is a copy of the message they gave me when I tried to submit dvdplay.exe



ComboFix 08-06-09.7 - Compaq_Owner 2008-06-20 12:05:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.443 [GMT -4:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\profsysypru.html
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\iWin.com
C:\WINDOWS\b149.exe.bin
C:\WINDOWS\portsv.exe
C:\WINDOWS\rundll16.PIF
C:\WINDOWS\system32\drivers\crusoee.sys
C:\WINDOWS\system32\g0.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\tmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft\dtsc
C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Compaq_Owner\Application Data\SEMBLY~1
C:\Documents and Settings\Compaq_Owner\err.log
C:\Program Files\Common Files\lavufave\
C:\Program Files\Common Files\profsysypru.html
C:\Program Files\iWin Games
C:\Program Files\iWin Games\AdminWorker.exe
C:\Program Files\iWin Games\firefox\chrome\iwinarcade.jar
C:\Program Files\iWin Games\firefox\install.rdf
C:\Program Files\iWin Games\firefox\iWinArcadeLauncher.exe
C:\Program Files\iWin Games\ftdownload.dat
C:\Program Files\iWin Games\host.cfg
C:\Program Files\iWin Games\iWinGames.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\iWin Games\pages\alert32x32.gif
C:\Program Files\iWin Games\pages\iwin_logo.gif
C:\Program Files\iWin Games\pages\maintenance.html
C:\Program Files\iWin Games\pages\offline_tag.gif
C:\Program Files\iWin Games\pages\offlineBg.gif
C:\Program Files\iWin Games\sounds\animation.wav
C:\Program Files\iWin Games\sounds\animationBack.wav
C:\Program Files\iWin Games\sounds\button_click.wav
C:\Program Files\iWin Games\sounds\download_completed.wav
C:\Program Files\iWin Games\sounds\start.wav
C:\Program Files\iWin Games\Uninstall.exe
C:\Program Files\iWin Games\WebInstaller.exe
C:\Program Files\iWin Games\WebUpdater.bmp
C:\Program Files\iWin Games\WebUpdater.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b149.exe.bin
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\portsv.exe
C:\WINDOWS\rundll16.PIF
C:\WINDOWS\system32\g0.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\vntiho18\vntiho182328.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_iWinGamesInstaller
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-17 23:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-17 23:27 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-17 23:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-17 23:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-14 10:36 . 2008-06-14 10:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-14 10:25 . 2008-06-14 10:25 <DIR> d-------- C:\WINDOWS\system32\stk
2008-06-14 10:25 . 2008-06-14 10:25 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-06-14 10:25 . 2008-06-14 10:25 <DIR> d-------- C:\WINDOWS\system32\mgi
2008-06-14 10:25 . 2008-06-14 10:25 <DIR> d-------- C:\WINDOWS\system32\1039a
2008-06-14 10:25 . 2008-06-14 10:25 <DIR> d-------- C:\Temp\itmp4
2008-06-11 06:47 . 2008-06-11 06:47 <DIR> d-------- C:\WINDOWS\system32\FinePointLib
2008-06-10 16:15 . 2008-06-10 16:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 11:05 . 2008-06-10 11:05 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Uniblue
2008-06-07 22:16 . 2008-06-07 22:16 32,768 --a------ C:\WINDOWS\system32\netrax06\netrax061083.exe
2008-06-07 19:54 . 2008-06-07 19:54 <DIR> d-------- C:\Deckard
2008-06-06 23:24 . 2008-06-06 23:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 23:24 . 2008-06-06 23:24 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-06-06 23:24 . 2008-06-06 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 23:24 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 23:24 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 12:02 . 2005-08-08 18:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-06 12:02 . 2005-08-08 18:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-06 12:01 . 2005-08-08 18:50 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-06 12:01 . 2005-08-08 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-06 12:01 . 2005-08-08 18:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-06 12:01 . 2008-06-06 12:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-06 08:05 . 2008-06-10 15:24 <DIR> d-------- C:\WINDOWS\system32\4674
2008-06-06 05:43 . 2008-06-06 05:43 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 08:08 . 2008-06-05 08:08 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-06-05 08:05 . 2008-06-14 10:45 <DIR> d--hs---- C:\WINDOWS\VmlyZ2luaWEgU2F2aW8
2008-06-05 08:05 . 2008-06-05 08:05 <DIR> d-------- C:\WINDOWS\system32\xrem
2008-06-05 08:05 . 2008-06-07 08:16 <DIR> d-------- C:\WINDOWS\system32\vntiho05
2008-06-05 08:05 . 2008-06-05 08:05 <DIR> d-------- C:\WINDOWS\system32\NMP
2008-06-05 08:05 . 2008-06-07 08:16 <DIR> d-------- C:\WINDOWS\system32\inet2
2008-06-05 08:05 . 2008-06-05 08:05 <DIR> d-------- C:\WINDOWS\system32\expo
2008-06-05 08:05 . 2008-06-06 14:35 <DIR> d-------- C:\WINDOWS\system32\btz
2008-06-05 08:05 . 2008-06-06 14:35 <DIR> d-------- C:\WINDOWS\system32\105772
2008-06-05 08:05 . 2008-06-14 10:25 30,728 --a------ C:\WINDOWS\444.470

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 16:03 21,500 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-06-19 13:26 --------- d-----w C:\Program Files\PPStream
2008-06-18 20:15 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\ppstream
2008-06-14 19:55 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-06-11 10:48 155,995 ----a-w C:\WINDOWS\java\Packages\2SCYTR75.ZIP
2008-06-10 14:51 --------- d-----w C:\Program Files\RealArcade
2008-06-06 16:54 269 ----a-w C:\Program Files\Common Files\lavufave
2008-06-05 01:52 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-05-11 17:38 --------- d-----w C:\Program Files\PPMate
2008-05-11 15:36 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-05-05 00:25 --------- d-----w C:\Program Files\LimeWire
2008-05-04 20:25 --------- d-----w C:\Program Files\MySpace
2008-02-18 14:35 14 ----a-w C:\Documents and Settings\Compaq_Owner\getfile.dat
2006-09-11 14:00 261 -c-ha-w C:\Program Files\hpothb07.tif
2006-09-11 14:00 153 -c-ha-w C:\Program Files\hpothb07.dat
2006-09-11 14:00 0 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-07-29 20:24 472 --sha-r C:\WINDOWS\VmlyZ2luaWEgU2F2aW8\pA5VtZ5RuqH0oZIZuqf.vbs
.

------- Sigcheck -------

2005-03-14 04:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2005-03-14 03:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-02-16 18:01 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-10_15.36.50.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 19:27:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 16:12:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2003-02-28 21:35:26 6,550 -c--a-w C:\WINDOWS\jautoexp.dat
+ 2001-01-12 20:10:24 6,550 ----a-w C:\WINDOWS\jautoexp.dat
+ 2008-06-11 10:48:08 2,678 ----a-w C:\WINDOWS\java\Packages\Data\5VTZXJJ9.DAT
+ 2008-06-11 10:48:10 2,678 ----a-w C:\WINDOWS\java\Packages\Data\A75ZHBBR.DAT
+ 2008-06-11 10:48:08 2,678 ----a-w C:\WINDOWS\java\Packages\Data\C5RZ1B1R.DAT
+ 2008-06-11 10:48:07 2,678 ----a-w C:\WINDOWS\java\Packages\Data\E4BDF75R.DAT
+ 2008-06-11 10:48:11 2,232 ----a-w C:\WINDOWS\java\Packages\Data\H3D7P7D7.DAT
+ 2008-06-11 10:48:07 2,678 ----a-w C:\WINDOWS\java\Packages\Data\M5VT7R17.DAT
+ 2007-08-14 21:22:50 25,105 ----a-w C:\WINDOWS\system32\1039a\atrdinac.exe
+ 2001-01-12 22:04:06 49,424 ----a-w C:\WINDOWS\system32\clspack.exe
+ 2001-01-12 20:09:58 313,856 ----a-w C:\WINDOWS\system32\dx3j.dll
+ 2003-07-29 21:40:08 98,304 ----a-w C:\WINDOWS\system32\FinePointLib\DetectAC.dll
+ 2002-11-18 21:54:52 79,029 ----a-w C:\WINDOWS\system32\FinePointLib\DetectAC2000.sys
+ 2002-11-21 19:42:14 51,800 ----a-w C:\WINDOWS\system32\FinePointLib\DetectACNT.sys
+ 2002-11-21 19:43:10 53,903 ----a-w C:\WINDOWS\system32\FinePointLib\Poet95.sys
+ 2002-10-21 16:40:44 46,930 ----a-w C:\WINDOWS\system32\FinePointLib\VPNic95.sys
+ 2003-01-16 22:45:20 258,048 ----a-w C:\WINDOWS\system32\FinePointLib\vzNetDetectEx.exe
+ 2003-07-29 21:39:54 217,088 ----a-w C:\WINDOWS\system32\FinePointLib\WrSetupUtils.dll
+ 2001-01-12 22:04:00 187,152 ----a-w C:\WINDOWS\system32\javacypt.dll
+ 2001-01-12 22:04:00 139,536 ----a-w C:\WINDOWS\system32\javaee.dll
+ 2001-01-12 22:04:00 63,248 ----a-w C:\WINDOWS\system32\javaprxy.dll
+ 2001-01-12 22:04:02 404,752 ----a-w C:\WINDOWS\system32\javart.dll
+ 2001-01-12 22:04:08 15,120 ----a-w C:\WINDOWS\system32\jdbgmgr.exe
+ 2001-01-12 22:04:02 171,280 ----a-w C:\WINDOWS\system32\jit.dll
+ 2001-01-12 22:04:08 172,304 ----a-w C:\WINDOWS\system32\jview.exe
+ 2008-05-05 16:16:46 127,488 ----a-w C:\WINDOWS\system32\mgi\htUIDll.exe
+ 2001-01-12 22:04:02 154,896 ----a-w C:\WINDOWS\system32\msawt.dll
+ 2001-01-12 22:04:06 945,424 ----a-w C:\WINDOWS\system32\msjava.dll
+ 2001-01-12 22:04:06 21,264 ----a-w C:\WINDOWS\system32\msjdbc10.dll
+ 2008-06-01 17:13:00 37,900 ----a-w C:\WINDOWS\system32\stk\stuxderr.exe
+ 2001-01-12 22:04:06 286,992 ----a-w C:\WINDOWS\system32\vmhelper.dll
+ 2003-05-29 21:05:50 49,210 ------w C:\WINDOWS\system32\vzServices.dll
+ 2001-01-12 22:04:08 171,792 ----a-w C:\WINDOWS\system32\wjview.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 12:55 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-01-17 02:48 171168]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 01:34 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 20:50 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 09:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48 275800]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-12-05 19:38 707360]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\t@b\0.958\686\tabdec.dll
"vidc.444p"= C:\Program Files\t@b\0.958\686\tabdec.dll
"midi1"= dosx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\tnameserv.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmid.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\rmiregistry.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\orbd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38270:TCP"= 38270:TCP:@xpsp2res.dll,-22005
"44821:TCP"= 44821:TCP:@xpsp2res.dll,-22005
"33208:TCP"= 33208:TCP:@xpsp2res.dll,-22005
"36631:TCP"= 36631:TCP:@xpsp2res.dll,-22005

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2007-03-22 08:17]
S1 crusoee;crusoee;C:\WINDOWS\system32\drivers\crusoee.sys []
S1 SilvrLnkk;SilvrLnkk;C:\WINDOWS\system32\drivers\SilvrLnkk.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2006-05-20 18:23:37 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1136286398.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-18 00:29:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1197941289.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-12 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 12:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2008-06-20 12:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 16:24:03
ComboFix2.txt 2008-06-10 19:37:06

Pre-Run: 28,308,148,224 bytes free
Post-Run: 28,312,817,664 bytes free

295 --- E O F --- 2008-05-28 13:09:31


Malwarebytes' Anti-Malware 1.18
Database version: 871

12:40:04 PM 6/20/2008
mbam-log-6-20-2008 (12-40-04).txt

Scan type: Quick Scan
Objects scanned: 41453
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\105772 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\expo (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inet2 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xrem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1039a (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\444.470 (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\POTA777444.exe (Adware.TTC) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\expo\mtcon66225.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xrem\imapIP95.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1039a\atrdinac.exe (Trojan.Agent) -> Quarantined and deleted successfully.



File dvdplay.exe received on 06.20.2008 19:01:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED




This is all I got for the other 2 logs..


Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.19.0 2008.06.20 -
AntiVir 7.8.0.59 2008.06.20 -
Authentium 5.1.0.4 2008.06.20 -
Avast 4.8.1195.0 2008.06.19 -
AVG 7.5.0.516 2008.06.20 -
BitDefender 7.2 2008.06.20 -
CAT-QuickHeal 9.50 2008.06.20 -
ClamAV 0.93.1 2008.06.20 -
DrWeb 4.44.0.09170 2008.06.20 -
eSafe 7.0.15.0 2008.06.19 -
eTrust-Vet 31.6.5890 2008.06.20 -
Ewido 4.0 2008.06.20 -
F-Prot 4.4.4.56 2008.06.19 -
F-Secure 7.60.13501.0 2008.06.20 -
Fortinet 3.14.0.0 2008.06.20 -
GData 2.0.7306.1023 2008.06.20 -
Ikarus T3.1.1.26.0 2008.06.20 -
Kaspersky 7.0.0.125 2008.06.20 -
McAfee 5322 2008.06.20 -
Microsoft 1.3604 2008.06.20 -
NOD32v2 3203 2008.06.20 -
Norman 5.80.02 2008.06.20 -
Panda 9.0.0.4 2008.06.19 -
Prevx1 V2 2008.06.20 -
Rising 20.49.42.00 2008.06.20 -
Sophos 4.30.0 2008.06.20 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.20 -
TheHacker 6.2.92.355 2008.06.19 -
TrendMicro 8.700.0.1004 2008.06.20 -
VBA32 3.12.6.7 2008.06.19 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.20 -
Additional information
File size: 55296 bytes
MD5...: b989cf7256a3ce36ed874d9eae9641c6
SHA1..: 5896eede2629393ee07b0fad3ec3a95f920f8578
SHA256: 25dd316f83c3525e7585d4a915c35fd4fba34fc30c98682cf945123ee3bb4f01
SHA512: 5c929aa878d0b183947405e403c3876a54bd9e367ede2639edef1160913f299f
dc31d562fbc3f3d05c0c4e42160ba503d2c4cb2c531b12f7ceeee35a4fec4da6
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10011f9
timedatestamp.....: 0x3b7d84d0 (Fri Aug 17 20:55:44 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x64c 0x800 5.13 f83ce57235e21fae71b6be1d2ed165bb
.data 0x2000 0x28 0x200 0.02 9475a59226943a3ad422e18169989f66
.rsrc 0x3000 0xc880 0xca00 3.86 aae0615438d37d2f251b4be9d8dfd6e8

( 3 imports )
> msvcrt.dll: __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, _initterm, _controlfp, _except_handler3, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, __set_app_type, _c_exit
> ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA
> KERNEL32.dll: CreateProcessA, SearchPathA, GetModuleHandleA, GetStartupInfoA

( 0 exports )

Edited by Geek7, 20 June 2008 - 12:43 PM.


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 21 June 2008 - 07:05 AM

I am still seeing some things I don't like in your logs. My team coach is having ISP problems so I am waiting for a reply from her on the things I am concerned about. In the meantime we need to get you an anti-virus up and running because you may still be picking up infections from somewhere on the Internet. Although we may have to turn around and disable it temporarily when we run the next part of the fix it would be better not to leave you out there without better protection.


For a free anti-virus please follow these instructions:


Click on this link: AVG
  • Underneath AVG Anti-Virus Free click on Download
  • Click on AVG 7.5 Free for Windows
  • Click on Download
  • A window will open. Click on Save File-A window will open. Click on Next
  • Click on Accept
  • Make sure standard install is checked and click Next
  • You can enter your name and click Next
  • click Finish After install is complete click OK
  • Follow prompters to update and check for viruses
Some more links to free anti-virus programs(Note. Choose only one)

Avira

Avast



Also please run Deckard" System Scan again and supply us with an updated log. You will only get the first part of the log on this run so don't be concerned when the second part does not show up.




Thanks,

thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Geek7

Geek7
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 23 June 2008 - 03:38 PM

Sorry, I was little slow with this..

I had an 18 hour Relay for Life to participate in..

Anyways, I downloaded AVG ~ I kinda like it too, it shows me which websites are safe when I use google.

Oh, and here's the log..

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-06-23 16:34:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:36 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PPStream\ppsap.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1109/SDD2MS.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176481952078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8179 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-22 13:34:36 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-22 13:34:27 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 10:25:22 0 d-------- C:\WINDOWS\system32\stk
2008-06-14 10:25:22 0 d-------- C:\WINDOWS\system32\mgi
2008-06-14 10:25:18 0 d-------- C:\WINDOWS\system32\netrax06
2008-06-11 06:48:17 49210 -----n--- C:\WINDOWS\system32\vzServices.dll <Not Verified; Verizon Internet Solutions; Verizon Online DSL Service Fulfillment Platform>
2008-06-11 06:48:09 171280 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:08 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:08 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft DirectX for Java>
2008-06-11 06:48:03 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-06-11 06:48:03 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-06-11 06:48:03 171792 --a------ C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:03 286992 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:03 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 945424 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 154896 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 172304 --a------ C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 404752 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 63248 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:02 187152 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:48:01 49424 --a------ C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-06-11 06:47:48 0 d-------- C:\WINDOWS\system32\FinePointLib
2008-06-10 16:15:46 0 d-------- C:\Program Files\Trend Micro
2008-06-10 15:12:56 68096 --a------ C:\WINDOWS\zip.exe
2008-06-10 15:12:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-10 15:12:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-10 15:12:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-10 15:12:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-10 15:12:56 98816 --a------ C:\WINDOWS\sed.exe
2008-06-10 15:12:56 80412 --a------ C:\WINDOWS\grep.exe
2008-06-10 15:12:56 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-10 11:05:54 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Uniblue
2008-06-06 23:24:54 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-06-06 23:24:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 23:24:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-06 12:02:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\SendTo
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\PrintHood
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\NetHood
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-06 12:01:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-06 12:01:59 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-06 12:01:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-06 12:01:57 593920 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-06 08:05:51 0 d-------- C:\WINDOWS\system32\4674
2008-06-06 05:43:48 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 08:10:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-05 08:09:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Sun
2008-06-05 08:08:55 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-06-05 08:06:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-05 08:05:58 0 d--hs---- C:\WINDOWS\VmlyZ2luaWEgU2F2aW8
2008-06-05 08:05:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-05 08:05:23 0 d-------- C:\WINDOWS\system32\NMP
2008-06-05 08:05:15 0 d-------- C:\WINDOWS\system32\vntiho05


-- Find3M Report ---------------------------------------------------------------

2008-06-23 14:50:53 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\gtk-2.0
2008-06-22 13:34:27 0 d-------- C:\Program Files\AVG
2008-06-21 12:24:26 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-06-20 12:06:25 0 d-------- C:\Program Files\Common Files
2008-06-20 12:03:57 21500 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-06-19 09:26:52 0 d-------- C:\Program Files\PPStream
2008-06-18 16:15:25 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ppstream
2008-06-10 10:51:06 0 d-------- C:\Program Files\RealArcade
2008-06-06 12:54:36 269 --a------ C:\Program Files\Common Files\lavufave
2008-05-11 13:38:36 0 d-------- C:\Program Files\PPMate
2008-05-11 11:36:25 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-05-04 20:25:31 0 d-------- C:\Program Files\LimeWire
2008-05-04 16:25:23 0 d-------- C:\Program Files\MySpace


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/26/2005 01:34 AM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [01/12/2007 09:48 PM]
"VX3000"="C:\WINDOWS\vVX3000.exe" [12/05/2006 07:38 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/22/2008 01:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/23/2007 12:55 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [01/17/2008 02:48 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 07:27 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2008-06-23 16:35:12 ------------

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 30 June 2008 - 06:47 PM

Again I apologize because it is taking so long. :thumbsup: It is strictly due to my team coach having some serious issues with her Internet. I wanted to let you know that just as soon as I can I will be back with you.



Thanks, :)



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 01 July 2008 - 06:02 AM

OK I'm back, hope you are still here.


Glad you like the AVG, it will give you another level of protection and that is something we can't have too much of with all the baddies that are out there. Had it not been for mine I would have been sporting a new keylogger Trojan on my machine from browsing I was doing the other night while looking for some info.


Here's what's next:



I want you to download an updated version of ComboFix but before you do please follow the path here C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe and delete the existing one from your Desktop.




Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**


1) Close any open browsers.


2) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. To do this with your AVG please do the following:

Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


3) Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\WINDOWS\system32\stk
C:\WINDOWS\system32\mgi
C:\WINDOWS\system32\netrax06
C:\WINDOWS\system32\vntiho05
C:\WINDOWS\system32\4674
C:\WINDOWS\system32\NMP


Driver::
crusoee
SilvrLnkk


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



After completion you can reenable your AVG.



When you post the log from the ComboFix.txt please add a new log from DSS also.



Thanks,




thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:58 PM

Posted 07 July 2008 - 06:07 AM

I need to know whether you still require assistance or I must ask for this thread to be closed.




thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:58 PM

Posted 09 July 2008 - 04:51 PM

Hello,

Due to inactivity this topic has been closed.
If you need it re-opened please PM a member of the Moderating team with a link to your thread.
All others please start your own topic.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users