Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Found Vundo; Css[1]


  • This topic is locked This topic is locked
24 replies to this topic

#1 ms90love

ms90love

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 07 June 2008 - 10:22 AM

hey. i'm sorry for putting the topic in the wrong place. i think i have a virus. i am running avg antivirus and antispyware and an unregistered version of spysweeper. avg always comes up with a threat saying virus found vundo and for a while i kept getting a problem with a file named css[1] and with both of these problems i would tell avg to send it to the virus vault but i would keep getting both.. vundo comes up with different files. ihaven't gotten the css[1] problem in a while. i am using windows xp. it's been freezing up when i try to close works word processor and it also freezes up for a few minutes at random times. i don't know what the problem is. i tried to use the virus vundo removal tool but that didn't seem to work. also sometimes iget a BSOD. please help! itried to do everything that was in the preparation guide, but some things wouldn't work


idid do the kaspersky and the deckard's scan

here is the extra.txt file from deckard

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon 64 Processor 3400+
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 446.23 MiB / 80.01 MiB
Pagefile Memory (total/avail): 1049.81 MiB / 287.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.18 MiB

C: is Fixed (NTFS) - 70.18 GiB total, 49.16 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080AT PL - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 70.18 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AV: Spy Sweeper with AntiVirus v5.5.7.124 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\AdCalls\\Dialer.exe"="C:\\Program Files\\AdCalls\\Dialer.exe:*:Enabled:AdCalls"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\CQPhone\\CQPhone.exe"="C:\\Program Files\\CQPhone\\CQPhone.exe:*:Enabled:CQPhone"
"C:\\Program Files\\CQPhone\\cqvideo.exe"="C:\\Program Files\\CQPhone\\cqvideo.exe:*:Enabled:CQVideo"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Torrent101\\Torrent101.exe"="C:\\Program Files\\Torrent101\\Torrent101.exe:*:Enabled:Torrent P2P application"
"C:\\Program Files\\MSN Backup\\MSNBackup.exe"="C:\\Program Files\\MSN Backup\\MSNBackup.exe:*:Enabled:MSN BackUp"
"C:\\WINDOWS\\MSNImport.exe"="C:\\WINDOWS\\MSNImport.exe:*:Enabled:MSN Content Installer"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"E:\\setup\\HPZnet01.exe"="E:\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\ProxyWay\\proxyway.exe"="C:\\Program Files\\ProxyWay\\proxyway.exe:*:Enabled:ProxyWay"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\ooVoo\\ooVoo.exe"="C:\\Program Files\\ooVoo\\ooVoo.exe:*:Enabled:ooVoo"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.Nina\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NINA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.Nina
LOGONSERVER=\\NINA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Windows Live\Messenger\;C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\AMD\MCat\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\AVG\AVG8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp
TMP=C:\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp
USERDOMAIN=NINA
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.Nina
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner.Nina (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3GP Player 2007 --> "C:\Program Files\3GP Player\unins000.exe"
AdCalls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D333CCA-44AD-40EA-8FB1-A2B4D981735F}\setup.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
AMD Processor Driver --> C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
AnalogX Vocal Remover (WinAmp) --> C:\Program Files\Plugins\wavremu.exe
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Ares 2.0.5 --> "C:\Program Files\Ares\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
C????I C????E --> C:\Program Files\mqreeb\Uninstal.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -IARI2045A.INF
ContentSAFER for Wizmax -->
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A607AC66-0C76-4519-9751-E12A93BF8EB2}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EmoDio --> "C:\Program Files\InstallShield Installation Information\{C20CE592-B0F8-4D20-BF31-0151CA6331A6}\setup.exe" -runfromtemp -l0x0409 -removeonly
EmoDio --> MsiExec.exe /X{C20CE592-B0F8-4D20-BF31-0151CA6331A6}
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Glary Utilities 2.4 --> "C:\Program Files\Glary Utilities\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KKopy --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{E2F43AFC-95FF-43A3-95C2-8F55D41CDEC0}
Lame ACM MP3 Codec --> "C:\WINDOWS\IFinst26.exe" -UC:\Program Files\Lame MP3 Codec\IFUD.inf
Machine Check Analysis Tool --> MsiExec.exe /X{0FB1C141-AEA1-4AC3-B075-7E2750D9A524}
Media Library Management Wizard --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft LifeCam --> MsiExec.exe /X{63AFACBC-4795-4A1B-8037-5085DC03FC54}
Microsoft Script Debugger --> RunDll32 advpack.dll,LaunchINFSection C:\Program Files\Microsoft Script Debugger\ScrptDbg.inf, Uninstall.NT
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Motorola PST --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8CC5BF82-4DD4-11D4-A39F-00C04F05E3F0}\Setup.exe" -l0x9 anything
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner.Nina\Application Data\Move Networks\ie_bin\Uninst.exe
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Neat Image v5 Demo (with plug-in) --> "C:\Program Files\Neat Image\unins000.exe"
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
ooVoo --> "C:\Program Files\InstallShield Installation Information\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}\setup.exe" -runfromtemp -l0x0009 -removeonly
Paint.NET v3.01 --> MsiExec.exe /X{74086643-8CB3-4AF7-B590-9390EBF9D496}
PC Connectivity Solution --> MsiExec.exe /I{066D65EA-ED53-44E4-A96A-F81B6E409D2E}
Philips PC Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\setup.exe" -l0x9 -removeonly
Photo-Colorizer 1 --> C:\WINDOWS\cadkasdeinst01e.exe "C:\Program Files\Photo-Colorizer 1\"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Secure Game Player --> C:\Program Files\SkillJam Technologies\Secure Player\Uninstall.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_2045161F\HXFSETUP.EXE -U -Iari2045k.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Sure Delete 5.1.1 --> "C:\Program Files\Sure Delete\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
WIBU-KEY Setup (WIBU-KEY Remove) --> C:\Program Files\WIBUKEY\Setup\SETUP32.EXE /R:{00060000-0000-1004-8002-0000C06B5161}
Win AVI HelixSDK --> c:\unins000.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
WinPcap 4.0 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
XviD MPEG-4 Video Codec --> "C:\Program Files\Samsung\XviD\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type20 / Error
Event Submitted/Written: 06/03/2008 07:59:34 PM
Event ID/Source: 1000 / Microsoft Works 8
Event Description:
wkswp.exe8.4.623.0unknown0.0.0.000194635

Event Record #/Type6 / Success
Event Submitted/Written: 06/03/2008 07:38:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2174 / Error
Event Submitted/Written: 06/04/2008 03:55:43 PM / 06/04/2008 03:55:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service ntmssvc with arguments "-Service"
in order to run the server:
{D61A27C6-8F53-11D0-BFA0-00A024151983}

Event Record #/Type2165 / Warning
Event Submitted/Written: 06/04/2008 02:40:27 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\FAMILY on the network \Device\NetBT_Tcpip_{FE12E9C5-49D9-4ADB-A549-85868E303857}.
The data is the error code.

Event Record #/Type2158 / Error
Event Submitted/Written: 06/03/2008 07:40:02 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type2139 / Error
Event Submitted/Written: 06/03/2008 07:21:16 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The LogMeIn Kernel Information Provider service failed to start due to the following error:
%%3

Event Record #/Type2112 / Error
Event Submitted/Written: 06/03/2008 03:53:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The LogMeIn Kernel Information Provider service failed to start due to the following error:
%%3



-- End of Deckard's System Scanner: finished at 2008-06-04 16:06:00 ------------




____________________________________________________________________________




here is the main.txt file:


Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-04 15:58:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-06-04 19:59:10 UTC - RP813 - Deckard's System Scanner Restore Point
7: 2008-06-03 20:24:21 UTC - RP812 - Installed Windows Movie Maker 2.0
6: 2008-06-03 19:02:16 UTC - RP811 - Software Distribution Service 3.0
5: 2008-06-01 17:27:56 UTC - RP810 - Removed Adobe Photoshop CS2
4: 2008-05-31 14:50:29 UTC - RP809 - Installed EmoDio


-- First Restore Point --
1: 2008-05-28 20:20:35 UTC - RP806 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:05 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner.Nina\Local Settings\Temporary Internet Files\Content.IE5\XQVFV65N\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.collegeboard.com/my_organizer/MyOrganizer.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - C:\WINDOWS\system32\wvUlkKCR.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {46012076-ED62-464b-9554-AD0BEC35D1EC} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB728Ax....RichUpload.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wvUlkKCR - wvUlkKCR.dll (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10977 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080224-104526-481 O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
backup-20080224-104526-962 O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
backup-20080301-132027-549 O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
backup-20080301-132027-769 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080301-132027-821 O9 - Extra button: C?I??? - {46012075-ED62-464b-9554-AD0BEC35D1EC} - http://ww80.com (file missing)
backup-20080326-215841-801 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080412-003532-410 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 CdaD10BA - c:\windows\system32\drivers\cdad10ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R2 WIBUKEY (WIBU-KEY Kernel Driver) - c:\windows\system32\drivers\wibukey.sys <Not Verified; WIBU-SYSTEMS AG; WIBU-KEY Software Protection System>

S0 Spssys (Toshiba SPS Service) - c:\windows\system32\drivers\spssys.sys (file missing)
S2 LMIInfo (LogMeIn Kernel Information Provider) - c:\program files\logmein\x86\rainfo.sys (file missing)
S3 CA561 (ICatch (VI) PC Camera) - c:\windows\system32\drivers\spca561.sys (file missing)
S3 EMCFILT (Alcor Micro Corp for Emachine- 9361) - c:\windows\system32\drivers\emcfilt.sys <Not Verified; Alcor Micro Corp.; emcfilt>
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft Windows 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-03 19:23:58 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-30 19:07:16 1474 --a------ C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2006-09-04 09:32:50 106 --a------ C:\WINDOWS\Tasks\Critical Battery Alarm Program.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 15:59:15 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 15:58:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-04 15:39:31 0 d------c- C:\I386
2008-06-04 15:16:06 0 d-------- C:\WINDOWS\LastGood
2008-06-01 18:01:07 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-01 17:49:43 0 dr-h---c- C:\Documents and Settings\Owner.Nina\Recent
2008-05-30 19:04:31 0 d-------- C:\Program Files\Webroot
2008-05-30 19:04:31 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Webroot
2008-05-30 19:04:31 0 d------c- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-30 18:55:58 164 --a----c- C:\install.dat
2008-05-28 16:58:22 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Adobe
2008-05-28 16:55:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18:05 0 d--h---c- C:\$AVG8.VAULT$
2008-05-26 20:14:02 352256 --a------ C:\WINDOWS\system32\MSLUR71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:02 507904 --a------ C:\WINDOWS\system32\MSLUP71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:00 921600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2008-05-26 20:14:00 188416 --a------ C:\WINDOWS\system32\vorbis.dll
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\tg_dump.dll <Not Verified; ENJsoft Corporation; SelfMusicVideo Filter>
2008-05-26 20:14:00 237568 --a------ C:\WINDOWS\system32\OggDS.dll <Not Verified; ; Ogg DirectShow Filter Collection>
2008-05-26 20:14:00 45056 --a------ C:\WINDOWS\system32\Ogg.dll
2008-05-26 20:14:00 200704 --a------ C:\WINDOWS\system32\muzwmts.dll <Not Verified; MusicCity; P3WMTSplitter Filter>
2008-05-26 20:13:58 167936 --a------ C:\WINDOWS\system32\muzapp.exe <Not Verified; Musiccity Co.Ltd.; MUZAoDApp Module>
2008-05-26 20:13:58 483328 --a------ C:\WINDOWS\system32\muzapp.dll <Not Verified; Musiccity Co.Ltd.; MUZAoDAppCtrl Module>
2008-05-26 20:13:58 135168 --a------ C:\WINDOWS\system32\muzaf1.dll <Not Verified; Musiccity Co.Ltd.; muzaf1>
2008-05-26 20:13:58 40960 --a------ C:\WINDOWS\system32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-05-26 20:13:58 118784 --a------ C:\WINDOWS\system32\MaDRM.dll <Not Verified; (?)????; MaDRM ?? ?? ????? with PKI>
2008-05-19 23:03:04 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:02:43 0 d-------- C:\Program Files\AVG
2008-05-19 23:02:40 0 d------c- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44:10 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42:14 0 d------c- C:\02a65157aa2a6d71a075e7
2008-05-09 10:19:52 0 d-------- C:\Program Files\UltraSMS


-- Find3M Report ---------------------------------------------------------------

2008-06-03 20:01:18 0 d-------- C:\Program Files\Picasa2
2008-06-03 19:45:27 29698 --a----c- C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-03 16:25:16 0 d-------- C:\Program Files\Movie Maker
2008-06-01 14:00:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-06-01 13:28:26 0 d-------- C:\Program Files\Common Files
2008-05-31 10:51:32 0 d-------- C:\Program Files\Samsung
2008-05-30 23:51:12 0 d-------- C:\Program Files\AIM6
2008-05-28 06:28:26 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-28 06:28:09 0 d-------- C:\Program Files\ooVoo
2008-05-28 06:26:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 13:43:26 0 d-------- C:\Program Files\iWin.com
2008-05-18 13:41:45 0 d-------- C:\Program Files\Google
2008-05-05 14:30:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-27 12:00:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-21 20:07:08 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-04-12 01:36:05 0 d-------- C:\Program Files\Nol Danjou
2008-04-12 01:19:14 0 d-------- C:\Program Files\Philips
2008-04-11 19:19:19 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\ooVoo Details
2008-04-10 20:59:16 0 d-------- C:\Program Files\Microsoft LifeCam
2008-04-08 20:12:48 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-29 22:47:16 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-29 22:46:43 88 -r-hs---- C:\WINDOWS\system32\8DFBDB31B3.sys
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96134ABB-AD7C-4135-A927-329B735D524F}]
C:\WINDOWS\system32\wvUlkKCR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [06/28/2005 10:05 PM]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 09:57 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/31/2008 06:41 PM]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [05/17/2007 02:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/19/2008 11:02 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 08:18 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/06/2007 09:39 PM]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [10/28/2007 05:44 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 10:49 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
@=
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoPropertiesMyComputer"=1 (0x1)
"NoSMMyDocs"=0 (0x0)
"NoRun"=0 (0x0)
"Nofind"=0 (0x0)
"NoSMHelp"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)
"Nologoff"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"HideClock"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"MaxRecentDocs"=15 (0xf)
"PromptRunasInstallNetPath"=1 (0x1)
"ConfirmFileDelete"=1 (0x1)
"RecycleBinSize"=10 (0xa)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"LockTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{96134ABB-AD7C-4135-A927-329B735D524F}"= C:\WINDOWS\system32\wvUlkKCR.dll [ ]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/2004 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkKCR]
wvUlkKCR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
AutoRun\command- D:\Autorun.exe /run
Shell00\Command- D:\Autorun.exe /run
Shell01\Command- D:\Autorun.exe /action
Shell02\Command- D:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2008-06-04 16:06:00 ------------






here is the Kaspersky file:




KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 7:09:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 829085


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
E:\

Scan Statistics
Total number of scanned objects 97767
Number of viruses found 3
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 02:01:39

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\.tt2F.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\.tt2F.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\.tt2F.tmp NSIS: infected - 2 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DF769E.tmp Object is locked skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DF76C9.tmp Object is locked skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DFCA34.tmp Object is locked skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DFCA68.tmp Object is locked skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DFDB3B.tmp Object is locked skipped

C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NIN\LOCALS~1\Temp\~DFDC0F.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02062007-163006.log Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS031B558C-D7CA-4DFF-BC93-2217CA319BFB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS03DBEE0B-8EBB-4168-B6C1-9AF6436C2554.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0960953C-6583-4D58-A992-C1B10B48AABF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS09E0A117-2D88-4DD9-8E18-263A5AABB24E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0A640773-6A14-440C-9943-FB9743902FB9.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0BFCA483-5F39-4BCC-BC4B-E10F57B6F005.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS138AD589-0AD2-451C-BF11-9B760DE7D68C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS14A527C8-73AE-4D22-8817-683B124DFCAB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS14C2F441-4094-4BE3-9E46-872D5C882E97.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS14EE867D-C3F6-4FEA-95B1-C7507D15A6FD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS166BF6EB-E1D6-4786-AF62-6CE7DFC1298A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17E08DEF-8EC9-4646-9C40-FCB567D4F8DA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1BB26596-1F89-4CB3-94D5-4785F6C89A8F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1DB70CCC-D122-49C4-9F9F-CA3068978B16.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1F224E60-7C46-4794-B324-E5B210471D72.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS202125D2-23D1-4E34-ABBC-CDB45FDEBE8E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS241CF59D-F633-46A1-9181-2521E7C85C62.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS25267FBC-DD87-4F86-A2B3-47275329ACB5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2D418ABE-3E7A-49CD-B874-69C0FB173EF8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS33CA1FB2-F177-401F-A5FB-4E2766268F9B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS34480F71-1A95-4564-A8CB-285846D5303E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS39E2DAFC-2ECA-4265-A7D8-421A03E2AC80.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B71D9C8-2BEE-4C3E-97C3-FE42F731B5C9.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3E99D633-DB5C-4D68-8B2F-DFD386BFA125.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS431C0DE6-41D9-460B-AF20-AF8BD3C6D9E3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS44D64BE0-6FAF-45E2-B42A-808E2B7B13BB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS46FAB58B-F2BD-420D-9214-11AC62A79CC8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4CF66793-EE7C-4C1B-866A-E66E38053424.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS55C4FA20-5942-4CAE-A1A5-F1266A39B3EB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5714C3BE-CA85-40BA-866B-09AFF060301B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS578CCEBD-EAB8-4C3C-8CC3-41A81DDBEBDB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS58FF817D-E275-4D1E-B5C0-229D581E9C1A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS59C3C7E8-BD70-4EB0-A9A8-A0CD2D0BCABD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5C1C66FA-6737-4501-A01D-F70F6F44A90B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5C4229BE-845A-4548-8528-4BA62F1E2176.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5E6A5410-388A-41F4-9FFC-42991B776D48.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F144713-05B8-4EE3-9311-469A0AC561CA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F68B7F1-8CA6-414F-9D07-E212FF451FFE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS63112899-3564-4A68-87CD-3B4A6612DF97.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS64E5ED71-0406-4D31-839D-B5B1F6300988.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6C6DB870-F281-4CAB-8ED5-9D1E3017921D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6DA74597-FDB8-4380-B33A-DF7449426309.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS704E0E3C-A0B6-4C8F-81BB-358E959665BE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS70B6337A-7041-43CC-B5F5-B7256FB5EC18.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72E25E40-7B89-4ED9-ADF6-5DFED52A2298.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS749D68C7-C6EB-4B16-A921-994D3B8AA8E0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS75804D03-EEB6-4D00-B453-520AADBE70CB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS834067A7-A667-494A-A5D0-AA05054BB473.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS858CF9DA-5921-4AAC-B353-EFCE99779833.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS87F0F385-D271-4992-939D-65BC0A27FC39.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS88457DF0-97C4-46D7-9BFC-60C4230E87D3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8849EE36-8948-4E48-9C6C-C0B63597D1BF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8883AEAA-F7EF-4722-863D-A8701032C18B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8CFFD319-7D1A-48F1-A483-8E8BCB3DA10D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9385F71D-E2CD-4E84-9312-C7F799257B44.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS960E58DB-AF39-4B50-84B8-B398CCF3A3E5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D6AA87D-09EE-4CE0-A61E-9BC564DF7572.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E31EAD4-B7B9-4BA7-8363-0A5A8C545773.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E76B8ED-5653-407B-8B74-BB70FAEB071B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9F12F567-9AC9-480A-950D-505427485605.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAC87B040-A947-4E9F-A046-928A4F7D1E3C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSACA4B683-0ADC-4838-8EDB-4EA920085F0B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAF7D85DD-6F24-4DB0-895D-C42F88379EEE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB3277338-3AEF-413B-B1E8-7733D8760D93.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB349C938-72BE-4C34-B6B4-6918614D59EA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB64348B5-44A3-4E9D-A434-10081A8C596D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB6918748-BB26-4591-B25E-87CFFCAF3A55.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBC8C177B-39D3-4E81-A474-BC07BD8BDF42.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBE86F1EA-91C9-45C6-9AC4-E2A93BD32834.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC3086791-7924-448B-AB52-E3170ED39413.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC8E66D42-E8FB-4F15-BC52-2C8DC38D8557.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCCAC5166-EF6B-4288-AE45-99BF09F5BB85.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCE839F61-C80F-4FF5-A7F4-94B5B46DD04B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCF985A2F-6589-4BFB-A5D9-D0F9B93BBCF2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD308F8BA-2486-43FC-BC70-B2E3A310A38B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD4F7A953-1064-4B2F-B8AD-91659951EE7E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD66FCD5F-1677-4C25-B5D0-9C8F513C70FF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD701B6AB-82B7-4DD9-8609-C9D936073075.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD91349C7-C752-4032-9FE4-0CD2E07A94A6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB410C95-FE39-41F9-8CBA-7B0DE418B3F3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE0076B55-787A-43A4-82F5-809FA315A762.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE139D07F-EFF5-40B3-8EE2-816D12155F93.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSED78877D-9CF3-4C12-967B-FD9B4C2C8893.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEFA55900-37C1-44E5-BA51-0072A746E2C1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF57C39D1-9DC7-44C6-804E-2E2AA0767AC4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF582F714-E5C4-4727-AA15-7956E9079D7A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF819E7C4-E263-46BA-8703-AB56D9EFFC28.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8F9720A-D1A4-4729-90F9-C89CACF39A12.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFDF369C5-D634-4238-B2BF-8ADB6EDA86D4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.Nina\Application Data\Webroot\Spy Sweeper\Logs\080603192327.ses Object is locked skipped

C:\Documents and Settings\Owner.Nina\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\Working\database_3638_D6C9_38D6_8771\dfsr.db Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\Working\database_3638_D6C9_38D6_8771\fsr.log Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\Working\database_3638_D6C9_38D6_8771\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Messenger\chocomamii3315@Hotmail.com\SharingMetadata\Working\database_3638_D6C9_38D6_8771\tmp.edb Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Windows Live Contacts\chocomamii3315@Hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Application Data\Microsoft\Windows Live Contacts\chocomamii3315@Hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Temp\~DF6BBC.tmp Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Temporary Internet Files\Content.IE5\29F1UIP9\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.xue skipped

C:\Documents and Settings\Owner.Nina\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\My Documents\My Music\Audio Converter\___ARESTRA___02-got me going.mp3 Object is locked skipped

C:\Documents and Settings\Owner.Nina\My Documents\My Music\Audio Converter\___ARESTRA___114-day26-got_me_going_(album_version).mp3 Object is locked skipped

C:\Documents and Settings\Owner.Nina\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner.Nina\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP807\A0403826.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ik skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP810\A0409374.dll Object is locked skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP813\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 11 June 2008 - 10:38 PM

Hello ms90love,


The following is referring to Eusing Free Registry Cleaner.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

****************************

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
AVG Anti-Virus Free v8.0 or Spy Sweeper with AntiVirus

****************************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 9
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

****************************


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 12 June 2008 - 08:50 PM

Thanks for your help =]

i got rid of spysweeper and eusing (well for eusing icouldn't find it in add/remove programs so iwent to start>search and searched eusing and deleted it from there)
Here's the logfile:


Malwarebytes' Anti-Malware 1.17
Database version: 851

9:46:42 PM 6/12/2008
mbam-log-6-12-2008 (21-46-42).txt

Scan type: Quick Scan
Objects scanned: 56142
Time elapsed: 25 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by ms90love, 12 June 2008 - 08:52 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 12 June 2008 - 10:05 PM

Hi ms90love,

You forgot to post a fresh DSS log. Only the Main.txt is needed as it will have the Hijackthis included.

How is the computer running? :thumbsup:

Edited by SifuMike, 12 June 2008 - 10:21 PM.
request DSS log

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 11:43 AM

ooooh.. sorry about that :thumbsup:
it's running ok, better than before but it's still kind of slow and it still freezes up when itry to close works processor
here's the main. txt file::




Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-13 12:38:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-13 12:39:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.Nina\Desktop\dss.exe
C:\Documents and Settings\Owner.Nina\My Documents\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/windows/ie_intl/en/start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.collegeboard.com/my_organizer/MyOrganizer.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: C?I??? C????? - C:\WINDOWS\ww80.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {46012076-ED62-464b-9554-AD0BEC35D1EC} - (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB728Ax....RichUpload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E...04/clearadj.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: wvUlkKCR - C:\WINDOWS\system32\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 12097 bytes

-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-12 21:15:26 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Malwarebytes
2008-06-12 21:15:07 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:15:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:03:38 0 d-------- C:\WINDOWS\LastGood
2008-06-12 12:05:34 0 d-------- C:\Program Files\Viewpoint
2008-06-11 13:12:04 0 d------c- C:\33a29603c9ca051ada38589e
2008-06-08 16:00:52 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 16:00:44 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 12:58:38 0 dr-h---c- C:\Documents and Settings\Owner.Nina\Recent
2008-06-08 09:59:15 0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 21:44:24 0 d------c- C:\VundoFix Backups
2008-06-07 20:19:51 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\NCH Swift Sound
2008-06-07 11:21:18 74 --ah----- C:\WINDOWS\sysdws.dat
2008-06-07 11:17:31 0 d------c- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-05 15:47:37 0 d------c- C:\videodvdmaker
2008-06-05 15:47:37 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Video DVD Maker FREE
2008-06-04 15:39:31 0 d------c- C:\I386
2008-06-01 18:01:07 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-30 18:55:58 164 --a----c- C:\install.dat
2008-05-28 16:58:22 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Adobe
2008-05-28 16:55:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18:05 0 d--h---c- C:\$AVG8.VAULT$
2008-05-26 20:14:02 352256 --a------ C:\WINDOWS\system32\MSLUR71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:02 507904 --a------ C:\WINDOWS\system32\MSLUP71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:00 921600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2008-05-26 20:14:00 188416 --a------ C:\WINDOWS\system32\vorbis.dll
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\tg_dump.dll <Not Verified; ENJsoft Corporation; SelfMusicVideo Filter>
2008-05-26 20:14:00 237568 --a------ C:\WINDOWS\system32\OggDS.dll <Not Verified; ; Ogg DirectShow™ Filter Collection>
2008-05-26 20:14:00 45056 --a------ C:\WINDOWS\system32\Ogg.dll
2008-05-26 20:14:00 200704 --a------ C:\WINDOWS\system32\muzwmts.dll <Not Verified; © MusicCity; P3WMTSplitter Filter>
2008-05-26 20:13:58 167936 --a------ C:\WINDOWS\system32\muzapp.exe <Not Verified; Musiccity Co.Ltd.; MUZAoDApp Module>
2008-05-26 20:13:58 483328 --a------ C:\WINDOWS\system32\muzapp.dll <Not Verified; Musiccity Co.Ltd.; MUZAoDAppCtrl Module>
2008-05-26 20:13:58 135168 --a------ C:\WINDOWS\system32\muzaf1.dll <Not Verified; Musiccity Co.Ltd.; muzaf1>
2008-05-26 20:13:58 40960 --a------ C:\WINDOWS\system32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-05-26 20:13:58 118784 --a------ C:\WINDOWS\system32\MaDRM.dll <Not Verified; (?)????; MaDRM ?? ?? ????? with PKI>
2008-05-19 23:03:04 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:02:43 0 d-------- C:\Program Files\AVG
2008-05-19 23:02:40 0 d------c- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44:10 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42:14 0 d------c- C:\02a65157aa2a6d71a075e7


-- Find3M Report ---------------------------------------------------------------

2008-06-12 12:14:40 0 d-------- C:\Program Files\AIM6
2008-06-08 15:22:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 15:21:24 0 d-------- C:\Program Files\Common Files
2008-06-08 14:47:29 0 d-------- C:\Program Files\PCFriendly
2008-06-08 12:25:00 0 d-------- C:\Program Files\Java
2008-06-08 12:15:32 0 d-------- C:\Program Files\Skype
2008-06-08 12:11:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 20:38:47 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-03 20:01:18 0 d-------- C:\Program Files\Picasa2
2008-06-03 19:45:27 29698 --a----c- C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-03 16:25:16 0 d-------- C:\Program Files\Movie Maker
2008-06-01 14:00:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-05-31 10:51:32 0 d-------- C:\Program Files\Samsung
2008-05-28 06:28:26 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-28 06:26:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 13:43:26 0 d-------- C:\Program Files\iWin.com
2008-05-18 13:41:45 0 d-------- C:\Program Files\Google
2008-05-09 10:26:56 0 d-------- C:\Program Files\UltraSMS
2008-05-05 14:30:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-21 20:07:08 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-03-29 22:47:16 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-29 22:46:43 88 -r-hs---- C:\WINDOWS\system32\8DFBDB31B3.sys
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [06/28/2005 10:05 PM]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 09:57 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/31/2008 06:41 PM]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [05/17/2007 02:45 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/19/2008 11:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 08:18 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/06/2007 09:39 PM]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [10/28/2007 05:44 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
@=
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoRun"=0 (0x0)
"Nofind"=0 (0x0)
"NoSMHelp"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)
"Nologoff"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"HideClock"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"MaxRecentDocs"=15 (0xf)
"PromptRunasInstallNetPath"=1 (0x1)
"ConfirmFileDelete"=1 (0x1)
"RecycleBinSize"=10 (0xa)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"LockTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/2004 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkKCR]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
AutoRun\command- D:\Autorun.exe /run
Shell00\Command- D:\Autorun.exe /run
Shell01\Command- D:\Autorun.exe /action
Shell02\Command- D:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2008-06-13 12:42:45 ------------

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 13 June 2008 - 11:59 AM

Hi ms90love,


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus and Spy Sweeper before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 12:26 PM

well here's the log but it didn't ask me to do the recovery console thing and iwas too scared to touch the computer to see how iwas supposed to do it

ComboFix 08-06-11.7 - Owner 2008-06-13 13:07:48.1 - NTFSx86
Running from: C:\Documents and Settings\Owner.Nina\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\CALIBRIB.TTF
C:\WINDOWS\msnimport.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 21:15 . 2008-06-12 21:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-12 21:15 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-12 21:03 . 2008-06-12 21:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-12 12:05 . 2008-06-12 12:06 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-11 13:12 . 2008-06-11 13:12 <DIR> d----c--- C:\33a29603c9ca051ada38589e
2008-06-11 13:09 . 2008-06-11 13:11 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 13:06 . 2008-06-11 13:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 13:06 . 2008-06-11 13:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 12:51 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 12:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-08 09:59 . 2008-06-08 10:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 21:44 . 2008-06-07 21:44 <DIR> d----c--- C:\VundoFix Backups
2008-06-07 20:19 . 2008-06-07 20:37 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\NCH Swift Sound
2008-06-07 11:21 . 2008-06-08 14:24 74 --ah----- C:\WINDOWS\sysdws.dat
2008-06-07 11:17 . 2008-06-08 15:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\videodvdmaker
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Video DVD Maker FREE
2008-06-04 15:57 . 2008-06-04 15:57 <DIR> d----c--- C:\Deckard
2008-06-04 15:39 . 2008-06-04 15:47 <DIR> d----c--- C:\I386
2008-06-01 18:01 . 2008-06-02 16:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-30 18:55 . 2008-05-30 18:55 164 --a--c--- C:\install.dat
2008-05-28 16:55 . 2008-06-03 19:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18 . 2008-06-04 19:09 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-26 20:13 . 2008-05-26 20:13 483,328 --a------ C:\WINDOWS\system32\muzapp.dll
2008-05-26 20:13 . 2008-05-26 20:13 167,936 --a------ C:\WINDOWS\system32\muzapp.exe
2008-05-26 20:13 . 2008-05-26 20:13 135,168 --a------ C:\WINDOWS\system32\muzaf1.dll
2008-05-26 20:13 . 2008-05-26 20:13 122,880 --a------ C:\WINDOWS\system32\muzeffect.ax
2008-05-26 20:13 . 2008-05-26 20:13 118,784 --a------ C:\WINDOWS\system32\MaDRM.dll
2008-05-26 20:13 . 2008-05-26 20:13 110,592 --a------ C:\WINDOWS\system32\muzmp4sp.ax
2008-05-26 20:13 . 2008-05-26 20:13 40,960 --a------ C:\WINDOWS\system32\MAMACExtract.dll
2008-05-19 23:03 . 2008-06-13 12:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:03 . 2008-05-19 23:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-19 23:03 . 2008-05-19 23:03 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-19 23:03 . 2008-05-19 23:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d-------- C:\Program Files\AVG
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44 . 2008-05-18 13:44 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42 . 2008-05-28 06:28 <DIR> d----c--- C:\02a65157aa2a6d71a075e7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 16:14 --------- d-----w C:\Program Files\AIM6
2008-06-12 16:05 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 15:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-08 19:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 18:47 --------- d-----w C:\Program Files\PCFriendly
2008-06-08 18:08 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 18:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 16:25 --------- d-----w C:\Program Files\Java
2008-06-08 16:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-08 16:15 --------- d-----w C:\Program Files\Skype
2008-06-08 16:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 16:01 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 00:38 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-08 00:19 --------- dc----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-04 00:01 --------- d-----w C:\Program Files\Picasa2
2008-06-03 23:45 29,698 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-01 18:00 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-05-31 14:51 --------- d-----w C:\Program Files\Samsung
2008-05-28 10:29 --------- dc----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-28 10:28 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 10:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-18 17:43 --------- d-----w C:\Program Files\iWin.com
2008-05-18 17:41 --------- d-----w C:\Program Files\Google
2008-05-09 14:26 --------- d-----w C:\Program Files\UltraSMS
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 18:30 --------- d-----w C:\Program Files\Microsoft Games
2008-04-24 22:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-22 00:07 --------- dc----w C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-02-22 15:55 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-02-04 01:55 87,608 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\ezpinst.exe
2007-02-04 01:55 47,360 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\pcouffin.sys
2006-10-02 06:59 25,600 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermptxp.sys
2006-10-02 06:59 22,768 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-02-06 21:39 968704]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [2007-10-28 17:44 133120]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05 344064]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 21:57 139264]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 18:41 185896]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-19 23:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"Nologoff"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
"PromptRunasInstallNetPath"= 1 (0x1)
"ConfirmFileDelete"= 1 (0x1)
"RecycleBinSize"= 10 (0xa)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"LockTaskbar"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkKCR]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 16:21 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-02-06 21:39 968704 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-06-02 20:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 15:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-31 18:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:UDP"= 443:UDP:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:ooVoo UDP المنفذ 37675

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-19 23:03]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-19 23:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-19 23:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-19 23:03]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 MSCamSvc;MSCamSvc;"c:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 18:18]
S0 Spssys;Toshiba SPS Service;C:\WINDOWS\system32\drivers\spssys.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 14:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 13:31]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 13:12]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
\Shell\AutoRun\command - D:\Autorun.exe /run
\Shell\Shell00\Command - D:\Autorun.exe /run
\Shell\Shell01\Command - D:\Autorun.exe /action
\Shell\Shell02\Command - D:\Autorun.exe /uninstall

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2006-09-04 13:32:50 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-06-13 00:40:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 13:15:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-13 13:23:33
ComboFix-quarantined-files.txt 2008-06-13 17:22:26

Pre-Run: 50,764,394,496 bytes free
Post-Run: 51,118,362,624 bytes free

247 --- E O F --- 2008-06-11 20:43:54

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 13 June 2008 - 12:37 PM

Hi ms90love,

well here's the log but it didn't ask me to do the recovery console thing and iwas too scared to touch the computer to see how iwas supposed to do it


You did not take the time read the how-to-use-comboFix . :thumbsup:
ComboFix does not ask you to install it, you have to do that!

We cant go until you install Recovery Console. It is our safety net.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Posted Image


Download the file& save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 02:03 PM

ok sorry about that.. iforgot to ask.. my system restore won't work. i've tried to restore to an older location because the preparation guide told me to and icouldn't do it. it kept telling me that it was unsuccessful. :thumbsup: here's the new log.txt

ComboFix 08-06-11.7 - Owner 2008-06-13 14:43:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.84 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.Nina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Nina\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 21:15 . 2008-06-12 21:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-12 21:15 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-12 21:03 . 2008-06-12 21:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-12 12:05 . 2008-06-12 12:06 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-11 13:12 . 2008-06-11 13:12 <DIR> d----c--- C:\33a29603c9ca051ada38589e
2008-06-11 13:09 . 2008-06-11 13:11 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 13:06 . 2008-06-11 13:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 13:06 . 2008-06-11 13:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 12:51 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 12:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-08 09:59 . 2008-06-08 10:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 21:44 . 2008-06-07 21:44 <DIR> d----c--- C:\VundoFix Backups
2008-06-07 20:19 . 2008-06-07 20:37 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\NCH Swift Sound
2008-06-07 11:21 . 2008-06-08 14:24 74 --ah----- C:\WINDOWS\sysdws.dat
2008-06-07 11:17 . 2008-06-08 15:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\videodvdmaker
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Video DVD Maker FREE
2008-06-04 15:57 . 2008-06-04 15:57 <DIR> d----c--- C:\Deckard
2008-06-04 15:39 . 2008-06-04 15:47 <DIR> d----c--- C:\I386
2008-06-01 18:01 . 2008-06-02 16:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-30 18:55 . 2008-05-30 18:55 164 --a--c--- C:\install.dat
2008-05-28 16:55 . 2008-06-03 19:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18 . 2008-06-04 19:09 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-26 20:13 . 2008-05-26 20:13 483,328 --a------ C:\WINDOWS\system32\muzapp.dll
2008-05-26 20:13 . 2008-05-26 20:13 167,936 --a------ C:\WINDOWS\system32\muzapp.exe
2008-05-26 20:13 . 2008-05-26 20:13 135,168 --a------ C:\WINDOWS\system32\muzaf1.dll
2008-05-26 20:13 . 2008-05-26 20:13 122,880 --a------ C:\WINDOWS\system32\muzeffect.ax
2008-05-26 20:13 . 2008-05-26 20:13 118,784 --a------ C:\WINDOWS\system32\MaDRM.dll
2008-05-26 20:13 . 2008-05-26 20:13 110,592 --a------ C:\WINDOWS\system32\muzmp4sp.ax
2008-05-26 20:13 . 2008-05-26 20:13 40,960 --a------ C:\WINDOWS\system32\MAMACExtract.dll
2008-05-19 23:03 . 2008-06-13 12:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:03 . 2008-05-19 23:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-19 23:03 . 2008-05-19 23:03 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-19 23:03 . 2008-05-19 23:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d-------- C:\Program Files\AVG
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44 . 2008-05-18 13:44 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42 . 2008-05-28 06:28 <DIR> d----c--- C:\02a65157aa2a6d71a075e7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 16:14 --------- d-----w C:\Program Files\AIM6
2008-06-12 16:05 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 15:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-08 19:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 18:47 --------- d-----w C:\Program Files\PCFriendly
2008-06-08 18:08 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 18:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 16:25 --------- d-----w C:\Program Files\Java
2008-06-08 16:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-08 16:15 --------- d-----w C:\Program Files\Skype
2008-06-08 16:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 16:01 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 00:38 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-08 00:19 --------- dc----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-04 00:01 --------- d-----w C:\Program Files\Picasa2
2008-06-03 23:45 29,698 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-01 18:00 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-05-31 14:51 --------- d-----w C:\Program Files\Samsung
2008-05-31 14:49 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-28 10:29 --------- dc----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-28 10:28 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 10:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-27 00:14 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2008-05-27 00:14 507,904 ----a-w C:\WINDOWS\system32\MSLUP71.dll
2008-05-27 00:14 45,056 ----a-w C:\WINDOWS\system32\Ogg.dll
2008-05-27 00:14 352,256 ----a-w C:\WINDOWS\system32\MSLUR71.dll
2008-05-27 00:14 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2008-05-27 00:14 200,704 ----a-w C:\WINDOWS\system32\muzwmts.dll
2008-05-27 00:14 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2008-05-27 00:14 110,592 ----a-w C:\WINDOWS\system32\TG_DUMP0708.DLL
2008-05-27 00:14 110,592 ----a-w C:\WINDOWS\system32\tg_dump.dll
2008-05-27 00:14 1,046,528 ----a-w C:\WINDOWS\system32\MFC71LU.DLL
2008-05-18 17:43 --------- d-----w C:\Program Files\iWin.com
2008-05-18 17:41 --------- d-----w C:\Program Files\Google
2008-05-09 14:26 --------- d-----w C:\Program Files\UltraSMS
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 18:30 --------- d-----w C:\Program Files\Microsoft Games
2008-04-24 22:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 00:07 --------- dc----w C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-03-30 02:47 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-22 15:55 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-02-04 01:55 87,608 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\ezpinst.exe
2007-02-04 01:55 47,360 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\pcouffin.sys
2006-10-03 06:43 2,402,550 -c--a-w C:\WINDOWS\inf\SET77.tmp
2006-10-02 06:59 25,600 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermptxp.sys
2006-10-02 06:59 22,768 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermpt.sys
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-02-06 21:39 968704]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [2007-10-28 17:44 133120]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05 344064]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 21:57 139264]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 18:41 185896]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-19 23:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"Nologoff"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
"PromptRunasInstallNetPath"= 1 (0x1)
"ConfirmFileDelete"= 1 (0x1)
"RecycleBinSize"= 10 (0xa)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"LockTaskbar"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkKCR]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 16:21 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-02-06 21:39 968704 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-06-02 20:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 15:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-31 18:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:UDP"= 443:UDP:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:ooVoo UDP المنفذ 37675

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-19 23:03]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-19 23:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-19 23:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-19 23:03]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 MSCamSvc;MSCamSvc;"c:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 18:18]
S0 Spssys;Toshiba SPS Service;C:\WINDOWS\system32\drivers\spssys.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 14:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 13:31]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 13:12]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
\Shell\AutoRun\command - D:\Autorun.exe /run
\Shell\Shell00\Command - D:\Autorun.exe /run
\Shell\Shell01\Command - D:\Autorun.exe /action
\Shell\Shell02\Command - D:\Autorun.exe /uninstall

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2006-09-04 13:32:50 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-06-13 00:40:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 14:49:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-13 14:57:18
ComboFix-quarantined-files.txt 2008-06-13 18:56:08
ComboFix2.txt 2008-06-13 17:23:34

Pre-Run: 51,041,497,088 bytes free
Post-Run: 51,020,214,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optout
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

271 --- E O F --- 2008-06-11 20:43:54

Edited by ms90love, 13 June 2008 - 02:07 PM.


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 13 June 2008 - 03:58 PM

Hi ms90love,

Is this a business or company computer?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 04:01 PM

no it's a personal computer but it came with xp pro downloaded

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 13 June 2008 - 04:04 PM

Hi ms90love,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkKCR]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 04:43 PM

ok here's the log.txt from combofix and after it is the dss hijackthis file

ComboFix 08-06-11.7 - Owner 2008-06-13 17:23:25.3 - NTFSx86
Running from: C:\Documents and Settings\Owner.Nina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Nina\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 21:15 . 2008-06-12 21:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-12 21:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:15 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-12 21:15 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-12 21:03 . 2008-06-12 21:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-12 12:05 . 2008-06-12 12:06 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-11 13:12 . 2008-06-11 13:12 <DIR> d----c--- C:\33a29603c9ca051ada38589e
2008-06-11 13:09 . 2008-06-11 13:11 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 13:06 . 2008-06-11 13:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 13:06 . 2008-06-11 13:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 12:51 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 16:00 . 2008-06-08 16:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 12:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-08 09:59 . 2008-06-08 10:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 20:19 . 2008-06-07 20:37 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\NCH Swift Sound
2008-06-07 11:21 . 2008-06-08 14:24 74 --ah----- C:\WINDOWS\sysdws.dat
2008-06-07 11:17 . 2008-06-08 15:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\videodvdmaker
2008-06-05 15:47 . 2008-06-05 15:47 <DIR> d----c--- C:\Documents and Settings\Owner.Nina\Application Data\Video DVD Maker FREE
2008-06-04 15:57 . 2008-06-04 15:57 <DIR> d----c--- C:\Deckard
2008-06-04 15:39 . 2008-06-04 15:47 <DIR> d----c--- C:\I386
2008-06-01 18:01 . 2008-06-02 16:03 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-30 18:55 . 2008-05-30 18:55 164 --a--c--- C:\install.dat
2008-05-28 16:55 . 2008-06-03 19:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18 . 2008-06-04 19:09 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-26 20:13 . 2008-05-26 20:13 483,328 --a------ C:\WINDOWS\system32\muzapp.dll
2008-05-26 20:13 . 2008-05-26 20:13 167,936 --a------ C:\WINDOWS\system32\muzapp.exe
2008-05-26 20:13 . 2008-05-26 20:13 135,168 --a------ C:\WINDOWS\system32\muzaf1.dll
2008-05-26 20:13 . 2008-05-26 20:13 122,880 --a------ C:\WINDOWS\system32\muzeffect.ax
2008-05-26 20:13 . 2008-05-26 20:13 118,784 --a------ C:\WINDOWS\system32\MaDRM.dll
2008-05-26 20:13 . 2008-05-26 20:13 110,592 --a------ C:\WINDOWS\system32\muzmp4sp.ax
2008-05-26 20:13 . 2008-05-26 20:13 40,960 --a------ C:\WINDOWS\system32\MAMACExtract.dll
2008-05-19 23:03 . 2008-06-13 12:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:03 . 2008-05-19 23:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-19 23:03 . 2008-05-19 23:03 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-19 23:03 . 2008-05-19 23:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d-------- C:\Program Files\AVG
2008-05-19 23:02 . 2008-05-28 06:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44 . 2008-05-18 13:44 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42 . 2008-05-28 06:28 <DIR> d----c--- C:\02a65157aa2a6d71a075e7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 16:14 --------- d-----w C:\Program Files\AIM6
2008-06-12 16:05 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-12 16:02 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 15:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-08 19:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 18:47 --------- d-----w C:\Program Files\PCFriendly
2008-06-08 18:08 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 18:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 16:25 --------- d-----w C:\Program Files\Java
2008-06-08 16:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-08 16:15 --------- d-----w C:\Program Files\Skype
2008-06-08 16:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 16:01 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 00:38 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-08 00:19 --------- dc----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-04 00:01 --------- d-----w C:\Program Files\Picasa2
2008-06-03 23:45 29,698 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-01 18:00 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-05-31 14:51 --------- d-----w C:\Program Files\Samsung
2008-05-28 10:29 --------- dc----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-28 10:28 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 10:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-18 17:43 --------- d-----w C:\Program Files\iWin.com
2008-05-18 17:41 --------- d-----w C:\Program Files\Google
2008-05-09 14:26 --------- d-----w C:\Program Files\UltraSMS
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 18:30 --------- d-----w C:\Program Files\Microsoft Games
2008-04-24 22:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-22 00:07 --------- dc----w C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-02-22 15:55 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-02-04 01:55 87,608 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\ezpinst.exe
2007-02-04 01:55 47,360 -c--a-w C:\Documents and Settings\Owner.Nina\Application Data\pcouffin.sys
2006-10-02 06:59 25,600 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermptxp.sys
2006-10-02 06:59 22,768 -c-ha-w C:\Documents and Settings\Owner.Nina\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 08:18 307200]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-02-06 21:39 968704]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [2007-10-28 17:44 133120]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 15:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05 344064]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 21:57 139264]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 18:41 185896]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 14:45 279912]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-19 23:02 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"Nologoff"= 0 (0x0)
"MaxRecentDocs"= 15 (0xf)
"PromptRunasInstallNetPath"= 1 (0x1)
"ConfirmFileDelete"= 1 (0x1)
"RecycleBinSize"= 10 (0xa)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"LockTaskbar"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 16:21 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-02-06 21:39 968704 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-06-02 20:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 15:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-31 18:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 22:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134443466\\EE\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:UDP"= 443:UDP:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:ooVoo UDP المنفذ 37675

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-19 23:03]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-19 23:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-19 23:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-19 23:03]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 MSCamSvc;MSCamSvc;"c:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 14:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 18:18]
S0 Spssys;Toshiba SPS Service;C:\WINDOWS\system32\drivers\spssys.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;C:\WINDOWS\system32\Drivers\nx6000.sys [2007-04-12 14:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 13:31]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;C:\WINDOWS\system32\DRIVERS\pc100nds.sys [2001-08-17 13:12]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
\Shell\AutoRun\command - D:\Autorun.exe /run
\Shell\Shell00\Command - D:\Autorun.exe /run
\Shell\Shell01\Command - D:\Autorun.exe /action
\Shell\Shell02\Command - D:\Autorun.exe /uninstall

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2006-09-04 13:32:50 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-06-13 00:40:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 17:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-06-13 17:38:09
ComboFix-quarantined-files.txt 2008-06-13 21:36:57
ComboFix2.txt 2008-06-13 18:57:20
ComboFix3.txt 2008-06-13 17:23:34

Pre-Run: 50,922,037,248 bytes free
Post-Run: 50,950,680,576 bytes free

244 --- E O F --- 2008-06-11 20:43:54
















Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-13 17:40:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-13 17:41:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner.Nina\Desktop\dss.exe
C:\Program Files\AVG\AVG8\avgcmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.collegeboard.com/my_organizer/MyOrganizer.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: C?I??? C????? - C:\WINDOWS\ww80.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {46012076-ED62-464b-9554-AD0BEC35D1EC} - (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB728Ax....RichUpload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E...04/clearadj.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 11777 bytes

-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 14:42:21 0 d------c- C:\cmdcons
2008-06-13 13:04:50 68096 --a------ C:\WINDOWS\zip.exe
2008-06-13 13:04:50 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-13 13:04:50 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 13:04:50 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-13 13:04:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 13:04:50 98816 --a------ C:\WINDOWS\sed.exe
2008-06-13 13:04:50 80412 --a------ C:\WINDOWS\grep.exe
2008-06-13 13:04:50 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 21:15:26 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Malwarebytes
2008-06-12 21:15:07 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:15:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:03:38 0 d-------- C:\WINDOWS\LastGood
2008-06-12 12:05:34 0 d-------- C:\Program Files\Viewpoint
2008-06-11 13:12:04 0 d------c- C:\33a29603c9ca051ada38589e
2008-06-08 16:00:52 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 16:00:44 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 12:58:38 0 dr-h---c- C:\Documents and Settings\Owner.Nina\Recent
2008-06-08 09:59:15 0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 20:19:51 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\NCH Swift Sound
2008-06-07 11:21:18 74 --ah----- C:\WINDOWS\sysdws.dat
2008-06-07 11:17:31 0 d------c- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-05 15:47:37 0 d------c- C:\videodvdmaker
2008-06-05 15:47:37 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Video DVD Maker FREE
2008-06-04 15:39:31 0 d------c- C:\I386
2008-06-01 18:01:07 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-30 18:55:58 164 --a----c- C:\install.dat
2008-05-28 16:58:22 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Adobe
2008-05-28 16:55:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:18:05 0 d--h---c- C:\$AVG8.VAULT$
2008-05-26 20:14:02 352256 --a------ C:\WINDOWS\system32\MSLUR71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:02 507904 --a------ C:\WINDOWS\system32\MSLUP71.dll <Not Verified; Sample Corporation; Sample Application DLL>
2008-05-26 20:14:00 921600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2008-05-26 20:14:00 188416 --a------ C:\WINDOWS\system32\vorbis.dll
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-05-26 20:14:00 110592 --a------ C:\WINDOWS\system32\tg_dump.dll <Not Verified; ENJsoft Corporation; SelfMusicVideo Filter>
2008-05-26 20:14:00 237568 --a------ C:\WINDOWS\system32\OggDS.dll <Not Verified; ; Ogg DirectShow™ Filter Collection>
2008-05-26 20:14:00 45056 --a------ C:\WINDOWS\system32\Ogg.dll
2008-05-26 20:14:00 200704 --a------ C:\WINDOWS\system32\muzwmts.dll <Not Verified; © MusicCity; P3WMTSplitter Filter>
2008-05-26 20:13:58 167936 --a------ C:\WINDOWS\system32\muzapp.exe <Not Verified; Musiccity Co.Ltd.; MUZAoDApp Module>
2008-05-26 20:13:58 483328 --a------ C:\WINDOWS\system32\muzapp.dll <Not Verified; Musiccity Co.Ltd.; MUZAoDAppCtrl Module>
2008-05-26 20:13:58 135168 --a------ C:\WINDOWS\system32\muzaf1.dll <Not Verified; Musiccity Co.Ltd.; muzaf1>
2008-05-26 20:13:58 40960 --a------ C:\WINDOWS\system32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-05-26 20:13:58 118784 --a------ C:\WINDOWS\system32\MaDRM.dll <Not Verified; (?)????; MaDRM ?? ?? ????? with PKI>
2008-05-19 23:03:04 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-19 23:02:43 0 d-------- C:\Program Files\AVG
2008-05-19 23:02:40 0 d------c- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 13:44:10 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 22:42:14 0 d------c- C:\02a65157aa2a6d71a075e7


-- Find3M Report ---------------------------------------------------------------

2008-06-12 12:14:40 0 d-------- C:\Program Files\AIM6
2008-06-08 15:22:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 15:21:24 0 d-------- C:\Program Files\Common Files
2008-06-08 14:47:29 0 d-------- C:\Program Files\PCFriendly
2008-06-08 12:25:00 0 d-------- C:\Program Files\Java
2008-06-08 12:15:32 0 d-------- C:\Program Files\Skype
2008-06-08 12:11:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 20:38:47 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-03 20:01:18 0 d-------- C:\Program Files\Picasa2
2008-06-03 19:45:27 29698 --a----c- C:\Documents and Settings\Owner.Nina\Application Data\wklnhst.dat
2008-06-03 16:25:16 0 d-------- C:\Program Files\Movie Maker
2008-06-01 14:00:21 0 d-------- C:\Program Files\Windows Media Bonus Pack for Windows XP
2008-05-31 10:51:32 0 d-------- C:\Program Files\Samsung
2008-05-28 06:28:26 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-28 06:26:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 13:43:26 0 d-------- C:\Program Files\iWin.com
2008-05-18 13:41:45 0 d-------- C:\Program Files\Google
2008-05-09 10:26:56 0 d-------- C:\Program Files\UltraSMS
2008-05-05 14:30:50 0 d-------- C:\Program Files\Microsoft Games
2008-04-21 20:07:08 0 d------c- C:\Documents and Settings\Owner.Nina\Application Data\Autodesk
2008-03-29 22:47:16 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-29 22:46:43 88 -r-hs---- C:\WINDOWS\system32\8DFBDB31B3.sys
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/10/2004 03:00 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [06/28/2005 10:05 PM]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [05/26/2004 09:57 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/31/2008 06:41 PM]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [05/17/2007 02:45 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/19/2008 11:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 08:18 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/06/2007 09:39 PM]
"TrueTransparency"="C:\Program Files\TrueTransparency\TrueTransparency.exe" [10/28/2007 05:44 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
@=
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesMyComputer"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMHelp"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)
"Nologoff"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"MaxRecentDocs"=15 (0xf)
"PromptRunasInstallNetPath"=1 (0x1)
"ConfirmFileDelete"=1 (0x1)
"RecycleBinSize"=10 (0xa)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"LockTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/2004 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{870f6cdb-c3ab-11dc-ab5a-0014a5431469}]
AutoRun\command- D:\Autorun.exe /run
Shell00\Command- D:\Autorun.exe /run
Shell01\Command- D:\Autorun.exe /action
Shell02\Command- D:\Autorun.exe /uninstall

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-13 17:42:48 ------------

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:53 PM

Posted 13 June 2008 - 04:50 PM

Hi ms90love

I wanted a Hijackthis log, not a DSS main.txt log. :thumbsup:

Have you downloaded Hijackthis yet?
If not, then go here http://www.download.com/Trend-Micro-Hijack...4-10227353.html
to download it.
Run it and post a fresh Hijackthis log (not a DSS - main.txt log)

BTW, how is the computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ms90love

ms90love
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 13 June 2008 - 04:54 PM

oh ok. yeah ihad it downloaded.. it's running well.. but now when ipress start, some of the names don't show up. For example: the recycle bin icon shows up but the words don't and istill have the issue with microsoft works processor.. here's the file::



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:35 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://apps.collegeboard.com/my_organizer/MyOrganizer.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunKist] "C:\Program Files\Digital Media Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {46012076-ED62-464b-9554-AD0BEC35D1EC} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB728Ax....RichUpload.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10657 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users