Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dll Error At Start Up


  • Please log in to reply
6 replies to this topic

#1 bogey313

bogey313

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 08 June 2008 - 05:48 PM

Thanks in advance for any help that you all can give on this!

At start up I keep getting an error box that says

Error Loading C;\Windows\System32\lwis16_080311.dll
The specified module could not be found.



Main.txt


Deckard's System Scanner v20071014.68
Run by Admin on 2008-06-08 17:32:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
105: 2008-06-08 22:32:39 UTC - RP149 - Deckard's System Scanner Restore Point
104: 2008-06-08 18:42:19 UTC - RP148 - Removed OpenOffice.org Installer 1.0
103: 2008-06-08 17:22:48 UTC - RP147 - Installed OpenOffice.org Installer 1.0
102: 2008-06-08 17:21:39 UTC - RP146 - Installed Java™ 6 Update 5
101: 2008-06-08 17:17:28 UTC - RP145 - Removed Dealio Toolbar 3.2


-- First Restore Point --
1: 2008-03-11 04:18:24 UTC - RP45 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:26 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O1 - Hosts: 69.41.254.242 autospe.com
O1 - Hosts: 74.53.242.130 glamorousvibe.com
O2 - BHO: (no name) - {18F4FBD5-CDE8-492C-9365-1912378EECFE} - C:\WINDOWS\system32\ssqRJyYp.dll (file missing)
O2 - BHO: (no name) - {4A3F62A9-AFEB-4543-AE4D-DC2442444E64} - C:\WINDOWS\system32\awtrPjkl.dll (file missing)
O2 - BHO: (no name) - {67A2C8F4-67D4-4BB0-A64B-B589563A8AFB} - C:\WINDOWS\system32\iifdebyy.dll (file missing)
O2 - BHO: (no name) - {69FCF0E6-AD43-493C-8ED2-BC8A838583FC} - C:\WINDOWS\system32\mlJBrRJa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: QXK Rhythm - {831C798D-F9AD-4659-8625-63F2A439F439} - C:\WINDOWS\nldfmtappek.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINDOWS\boqnrwdmstg.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe
O4 - HKLM\..\Policies\Explorer\Run: [lsass] C:\windows\system\alg.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [MyUserinit] C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwis16_080311.dll start
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a570c83ca05e485c9d0f7103f0dc29e9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a570c83ca05e485c9d0f7103f0dc29e9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B4A78D29-52B1-4A7B-BAC0-1471BEDF9836} - http://xscanner.shredderscan.com/setup/webinst.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: awtrPjkl - awtrPjkl.dll (file missing)
O20 - Winlogon Notify: byxyvwu - byxyvwu.dll (file missing)
O20 - Winlogon Notify: mljjifg - mljjifg.dll (file missing)
O20 - Winlogon Notify: ssqRJyYp - ssqRJyYp.dll (file missing)
O20 - Winlogon Notify: vtUnolIC - vtUnolIC.dll (file missing)
O20 - Winlogon Notify: vtusttt - vtusttt.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O20 - Winlogon Notify: xxyvtrq - xxyvtrq.dll (file missing)
O21 - SSODL: pxgdslro - {20B600EA-66E2-435E-AF32-3D11805B4E4D} - C:\WINDOWS\pxgdslro.dll (file missing)
O21 - SSODL: gnowmebk - {5A4FB183-AE73-4F9C-BA24-0FCBD36B0537} - C:\WINDOWS\gnowmebk.dll (file missing)
O21 - SSODL: BootRunOnce - {cafcd1cd-1d74-4e5e-a768-18906e785502} - C:\WINDOWS\Resources\BootRunOnce.dll (file missing)
O21 - SSODL: DrvDrive - {666d67b1-5d9d-43b2-851c-7b2ff34a35e3} - C:\WINDOWS\Resources\DrvDrive.dll (file missing)
O22 - SharedTaskScheduler: calpastatin - {a0efe2fe-7249-4403-a00b-8be108617c75} - C:\WINDOWS\system32\guadq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9450 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - d7hjthfj.exe %1
.ini - inifile - shell\open\command - d7hjthfj.exe %1
.reg - regfile - shell\edit\command - d7hjthfj.exe %1
.txt - txtfile - shell\open\command - %windir%\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 cjP51 - c:\windows\system32\drivers\cjp51.sys (file missing)
S0 diN62 - c:\windows\system32\drivers\din62.sys (file missing)
S0 nsX40 - c:\windows\system32\drivers\nsx40.sys (file missing)
S1 atmarpcc - c:\windows\system32\drivers\atmarpcc.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 perfmons (perfmons Service) - c:\windows\system32\perfs.exe

S2 AFinding (AFinding Service) - c:\windows\system32\afinding.exe (file missing)
S2 Routing (Routing Service) - c:\windows\system32\routing.exe (file missing)
S2 WServing (WServing Service) - c:\windows\system32\wserving.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 16:00:00 268 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-19 10:06:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 17:29:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 17:29:21 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 17:29:18 0 d-------- C:\WINDOWS\LastGood
2008-06-08 17:15:20 0 d-------- C:\Program Files\Trend Micro
2008-06-08 16:01:55 0 dr-h----- C:\Documents and Settings\Admin\Recent
2008-06-08 15:50:34 0 d-------- C:\Documents and Settings\Admin\Application Data\Webroot
2008-06-08 15:50:32 0 d-------- C:\Program Files\Webroot
2008-06-08 15:50:32 0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-08 15:50:17 58368 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; >
2008-06-08 15:50:17 487936 --a------ C:\WINDOWS\system32\wwSecure.exe <Not Verified; Webroot Software, Inc.; >
2008-06-08 15:50:17 356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-06-08 15:50:17 81920 --a------ C:\WINDOWS\system32\eSellerateControl350.dll <Not Verified; eSellerate Inc.; eSellerate ActiveX Control>
2008-06-08 15:48:08 0 d---s---- C:\Documents and Settings\Admin\UserData
2008-06-08 14:37:54 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia
2008-06-08 14:37:54 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe
2008-06-08 14:00:37 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-08 13:24:55 0 d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2008-06-08 13:24:28 0 d--h----- C:\Documents and Settings\Admin\Templates
2008-06-08 13:24:28 0 dr------- C:\Documents and Settings\Admin\Start Menu
2008-06-08 13:24:28 0 dr-h----- C:\Documents and Settings\Admin\SendTo
2008-06-08 13:24:28 0 d--h----- C:\Documents and Settings\Admin\PrintHood
2008-06-08 13:24:28 0 d--h----- C:\Documents and Settings\Admin\NetHood
2008-06-08 13:24:28 0 dr------- C:\Documents and Settings\Admin\My Documents
2008-06-08 13:24:28 0 d--h----- C:\Documents and Settings\Admin\Local Settings
2008-06-08 13:24:28 0 d-------- C:\Documents and Settings\Admin\ff_temp
2008-06-08 13:24:28 0 dr------- C:\Documents and Settings\Admin\Favorites
2008-06-08 13:24:28 0 d-------- C:\Documents and Settings\Admin\Desktop
2008-06-08 13:24:28 0 d---s---- C:\Documents and Settings\Admin\Cookies
2008-06-08 13:24:28 0 dr-h----- C:\Documents and Settings\Admin\Application Data
2008-06-08 13:24:28 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2008-06-08 13:24:28 0 d-------- C:\Documents and Settings\Admin\7zS188F.tmp
2008-06-08 13:24:27 1048576 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT
2008-06-08 12:24:16 0 d-------- C:\WINDOWS\pss
2008-06-08 12:04:05 92544 --a------ C:\WINDOWS\system32\ymdxtfoc.dll
2008-06-08 12:02:26 15 --a------ C:\WINDOWS\system32\f093b837
2008-06-08 12:01:29 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-24 22:10:19 377673 --ahs---- C:\WINDOWS\system32\yybedfii.ini2
2008-05-24 22:07:59 0 d-------- C:\Application Data
2008-05-24 21:06:55 290816 --a------ C:\WINDOWS\system32\andt.sys
2008-05-24 20:54:39 155 --a------ C:\345543.bat
2008-05-23 16:23:40 0 d-------- C:\Program Files\Windows Live Favorites
2008-05-23 16:22:56 0 d-------- C:\Program Files\Real
2008-05-23 16:22:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-05-23 16:22:08 0 d-------- C:\Program Files\Windows Live Toolbar
2008-05-19 14:57:43 0 d--hs---- C:\WINDOWS\system32\wsnpoem
2008-05-18 17:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-05-18 16:04:42 212480 --a------ C:\WINDOWS\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-05-17 17:23:49 789140 --ahs---- C:\WINDOWS\system32\aJRrBJlm.ini2
2008-05-17 17:18:33 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-15 12:23:41 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-06-08 15:50:32 0 d-------- C:\Program Files\Common Files
2008-06-08 13:31:32 0 d-------- C:\Program Files\Yahoo!
2008-06-08 12:22:39 0 d-------- C:\Program Files\Java
2008-05-23 16:20:28 0 d-------- C:\Program Files\MSN Messenger
2008-05-18 17:27:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-08 17:19:21 0 d-------- C:\Program Files\LimeWire
2008-05-03 10:31:39 0 d-------- C:\Program Files\Microsoft Games
2008-05-03 10:31:21 0 d-------- C:\Program Files\directx
2008-04-28 19:52:43 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-22 18:46:48 0 d-------- C:\Program Files\MySpace
2008-04-22 17:38:20 0 d-------- C:\Program Files\Windows NT
2008-04-15 20:07:30 114688 --a------ C:\WINDOWS\system32\igfxpers.exe <Not Verified; Intel Corporation; Intel® Common User Interface>
2008-04-08 11:04:30 6650 --ahs---- C:\WINDOWS\system32\yxHPoVut.ini2
2008-04-08 07:26:13 6379 --ahs---- C:\WINDOWS\system32\iklkknpo.ini2
2008-04-08 04:41:23 6452 --ahs---- C:\WINDOWS\system32\EMnnnUvw.ini2
2008-03-27 15:27:18 51 --a------ C:\xmp.bat
2008-03-26 09:04:03 286896 --ahs---- C:\WINDOWS\system32\nqstv.ini2
2008-03-12 09:23:24 27520 -rahs---- C:\WINDOWS\system32\wicheck080311.exe
2008-03-10 22:36:27 249715 --ahs---- C:\WINDOWS\system32\kjllm.ini2
2008-03-10 18:10:12 1 --a------ C:\WINDOWS\system32\boa1.dat
2008-03-10 13:43:22 1 --a------ C:\WINDOWS\system32\rc.dat
2008-03-10 13:43:22 1 --a------ C:\WINDOWS\system32\ps1.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
C:\WINDOWS\system32\ssqRJyYp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}]
C:\WINDOWS\system32\awtrPjkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67A2C8F4-67D4-4BB0-A64B-B589563A8AFB}]
C:\WINDOWS\system32\iifdebyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69FCF0E6-AD43-493C-8ED2-BC8A838583FC}]
C:\WINDOWS\system32\mlJBrRJa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C798D-F9AD-4659-8625-63F2A439F439}]
C:\WINDOWS\nldfmtappek.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
C:\WINDOWS\boqnrwdmstg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 08:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="C:\WINDOWS\system32\msnsc.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"=IExplorer.dll .dbt

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnsc"=C:\WINDOWS\system32\msnsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"lsass"=C:\windows\system\alg.exe
"svchost"=C:\WINDOWS\svchost.exe
"MyUserinit"=C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwis16_080311.dll start

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"=0 (0x0)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoSaveSettings"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"=0 (0x0)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a0efe2fe-7249-4403-a00b-8be108617c75}"= C:\WINDOWS\system32\guadq.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ED120D76-BF31-412C-A99B-783C6676E128}"= C:\WINDOWS\system32\vtusttt.dll [ ]
"{E9383002-FC55-4330-B9C9-67E03BC5C840}"= C:\WINDOWS\system32\byxyvwu.dll [ ]
"{91223DE9-F8E6-4FFD-8889-BE6784C18696}"= C:\WINDOWS\system32\mljjifg.dll [ ]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\ssqRJyYp.dll [ ]
"{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}"= C:\WINDOWS\system32\awtrPjkl.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pxgdslro"= {20B600EA-66E2-435E-AF32-3D11805B4E4D} - C:\WINDOWS\pxgdslro.dll [ ]
"gnowmebk"= {5A4FB183-AE73-4F9C-BA24-0FCBD36B0537} - C:\WINDOWS\gnowmebk.dll [ ]
"BootRunOnce"= {cafcd1cd-1d74-4e5e-a768-18906e785502} - C:\WINDOWS\Resources\BootRunOnce.dll [ ]
"DrvDrive"= {666d67b1-5d9d-43b2-851c-7b2ff34a35e3} - C:\WINDOWS\Resources\DrvDrive.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPjkl]
awtrPjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvwu]
byxyvwu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjifg]
mljjifg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRJyYp]
ssqRJyYp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnolIC]
vtUnolIC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusttt]
vtusttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvtrq]
xxyvtrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifdebyy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cjP51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diN62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.lnk
backup=C:\WINDOWS\pss\office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sheila Wells^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Sheila Wells\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sheila Wells^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Sheila Wells\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\SHEILA~1\LOCALS~1\Temp\stdcons.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXPFixer]
C:\Program Files\AXPFixer\AXPFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\system32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f093aab9]
rundll32.exe "C:\WINDOWS\system32\ymdxtfoc.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
"C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
"C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\JavaCore\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
C:\Program Files\\NoDNS\\NoDNS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
C:\Program Files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart




-- Hosts -----------------------------------------------------------------------

127.0.0.1 multitrader.info
127.0.0.1 reggame.biz
127.0.0.1 tele-globus.biz
127.0.0.1 newasp.com.cn
127.0.0.1 mygolddinar.com
127.0.0.1 xfatum.com
127.0.0.1 think-adz2.com
127.0.0.1 daoway.biz
127.0.0.1 school-172.info
127.0.0.1 http://test.just.f1del.net/limbo/mail.php

6 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-08 17:33:58 ------------



Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1021.98 MiB / 708.52 MiB
Pagefile Memory (total/avail): 2463.81 MiB / 2241.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.12 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 57.84 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Admin\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=83C7DC5311824F4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Admin
LOGONSERVER=\\83C7DC5311824F4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
USERDOMAIN=83C7DC5311824F4
USERNAME=Admin
USERPROFILE=C:\Documents and Settings\Admin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Admin (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\PROGRA~1\Yahoo!\Common\unybase.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}
MechWarrior Vengeance --> "C:\Program Files\Microsoft Games\MechWarrior Vengeance\MWUNINSTAL.EXE" /runtemp /addremove
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
QuickTime Alternative 1.67 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
Search Settings --> MsiExec.exe /X{90529245-9C54-45B5-BBB3-B180CA04F248}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{1707BF02-0F5C-4A6C-8F17-053BB73E443F}
Visual IP InSight(SBC) --> C:\Program Files\InstallShield Installation Information\{097346E0-6A51-11D1-AD16-00A0C95E0503}SBC\setup.exe SBC
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1021 / Error
Event Submitted/Written: 06/08/2008 00:11:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application igfxpers.exe, version 3.0.0.4396, faulting module igfxpers.exe, version 3.0.0.4396, fault address 0x00011fe1.
Processing media-specific event for [igfxpers.exe!ws!]

Event Record #/Type1015 / Error
Event Submitted/Written: 06/08/2008 00:00:14 PM / 06/08/2008 00:00:15 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application igfxpers.exe, version 3.0.0.4396, faulting module igfxpers.exe, version 3.0.0.4396, fault address 0x00011fe1.
Processing media-specific event for [igfxpers.exe!ws!]

Event Record #/Type1005 / Warning
Event Submitted/Written: 05/26/2008 00:14:36 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1003 / Error
Event Submitted/Written: 05/26/2008 00:01:26 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application igfxpers.exe, version 3.0.0.4396, faulting module igfxpers.exe, version 3.0.0.4396, fault address 0x00011fe1.
Processing media-specific event for [igfxpers.exe!ws!]

Event Record #/Type998 / Warning
Event Submitted/Written: 05/25/2008 09:02:32 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3779 / Error
Event Submitted/Written: 06/08/2008 05:06:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WServing Service service failed to start due to the following error:
%%2

Event Record #/Type3778 / Error
Event Submitted/Written: 06/08/2008 05:06:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Routing Service service failed to start due to the following error:
%%2

Event Record #/Type3777 / Error
Event Submitted/Written: 06/08/2008 05:06:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AFinding Service service failed to start due to the following error:
%%2

Event Record #/Type3758 / Error
Event Submitted/Written: 06/08/2008 03:58:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WServing Service service failed to start due to the following error:
%%2

Event Record #/Type3757 / Error
Event Submitted/Written: 06/08/2008 03:58:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Routing Service service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-08 17:33:58 ------------

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2008 - 08:30 AM

Hi and Welcome to the Bleeping Computer :thumbsup:


Follow the directions Here to download,install and run SDFix in Safe Mode.

Once its completed,post the log it generates then follow the directions Here to download,install and run ComboFix.

If you are prompted at any time to install the recovery console,please do so,if not,we will assess that when you post the log that ComboFix will generate.

After you post the ComboFix log,upgrade you Ad Aware to the 2008 version from the LavaSoft Site

Update and perform a full system scan and remove\quarantine all thats found.

After that,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


#3 bogey313

bogey313
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 12 June 2008 - 01:51 PM

SDFix ran here's the log from it.....



SDFix: Version 1.191
Run by Administrator on Thu 06/12/2008 at 01:30 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Restoring Windows ProductId To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\system32\1A.tmp - Deleted
C:\WINDOWS\system32\blackster.scr - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\ctfmonb.bmp - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINDOWS\system32\bharebio01 - Removed
Folder C:\WINDOWS\system32\iDlo01 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed
Folder C:\WINDOWS\system32\X3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 13:38:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\Errors]
"sysoc"=str(7):"Setup could not copy one or more files. The specific\r\nerror code is 0x4c7. Press OK to continue or Cancel\r\nto stop setup and try again. If you continue the components\r\nmay not function properly.\r\n\0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwDir]
"Installed"="1"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 12 Mar 2008 27,520 A.SHR --- "C:\WINDOWS\system32\wicheck080311.exe"
Thu 13 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1E.tmp"
Thu 12 Jun 2008 8,723,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cc60d8716d384e35a0e06fa6ac381a18\BIT9.tmp"
Tue 3 Jun 2008 3,554,958 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f794a6b2dc23c3d293e2169d41ddf7fb\BIT8.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT44.tmp"
Thu 12 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\339908b7528b426712407aa3c98876a1\download\BITE.tmp"
Thu 12 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a6716fbd815ccf803b5defe069dfc99d\download\BITC.tmp"
Sun 16 Mar 2008 11,116 A.SH. --- "C:\Documents and Settings\Admin\My Documents\Sheila Wells\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#4 bogey313

bogey313
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 June 2008 - 02:09 PM

ComboFix log as follows.....


ComboFix 08-06-10.5 - Admin 2008-06-12 13:59:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\BMf3a09925.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\pwisys.ini
C:\WINDOWS\system32\abdjdpda.ini
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\aJRrBJlm.ini
C:\WINDOWS\system32\aJRrBJlm.ini2
C:\WINDOWS\system32\akgtcomf.ini
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\coftxdmy.ini
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\EMnnnUvw.ini
C:\WINDOWS\system32\EMnnnUvw.ini2
C:\WINDOWS\system32\iklkknpo.ini
C:\WINDOWS\system32\iklkknpo.ini2
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\njqilaxi.ini
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\pryavxjh.ini
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\sf.txt
C:\WINDOWS\system32\tjmmrevt.ini
C:\WINDOWS\system32\uybdfomg.ini
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\ymdxtfoc.dll
C:\WINDOWS\system32\yxHPoVut.ini
C:\WINDOWS\system32\yxHPoVut.ini2
C:\WINDOWS\system32\yxovuyho.ini
C:\WINDOWS\system32\yybedfii.ini
C:\WINDOWS\system32\yybedfii.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 13:43 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-06-12 13:27 . 2008-06-12 13:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-12 13:19 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\Administrator\ff_temp
2008-06-12 13:19 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\Administrator\7zS188F.tmp
2008-06-12 13:19 . 2008-06-12 13:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-12 13:17 . 2008-06-12 13:43 <DIR> d-------- C:\SDFix
2008-06-08 17:32 . 2008-06-08 17:32 <DIR> d-------- C:\Deckard
2008-06-08 17:29 . 2008-06-08 17:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 17:29 . 2008-06-08 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 17:15 . 2008-06-08 17:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 15:50 . 2008-06-08 15:50 <DIR> d-------- C:\Program Files\Webroot
2008-06-08 15:50 . 2008-06-08 15:50 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-08 15:50 . 2008-06-08 15:50 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Webroot
2008-06-08 15:50 . 2005-05-04 09:15 487,936 --a------ C:\WINDOWS\system32\wwSecure.exe
2008-06-08 15:50 . 2005-05-04 09:15 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2008-06-08 15:50 . 2005-05-04 09:15 81,920 --a------ C:\WINDOWS\system32\eSellerateControl350.dll
2008-06-08 15:50 . 2005-05-04 09:15 58,368 --a------ C:\WINDOWS\Unwash6.exe
2008-06-08 15:48 . 2008-06-08 15:48 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-06-08 14:00 . 2008-06-08 14:00 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-08 13:24 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\Admin\ff_temp
2008-06-08 13:24 . 2008-06-12 13:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2008-06-08 13:24 . 2008-01-20 09:55 <DIR> d-------- C:\Documents and Settings\Admin\7zS188F.tmp
2008-06-08 13:24 . 2008-06-12 13:25 <DIR> d-------- C:\Documents and Settings\Admin
2008-06-08 12:02 . 2008-06-08 12:02 15 --a------ C:\WINDOWS\system32\f093b837
2008-06-08 12:01 . 2008-06-08 12:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-24 22:07 . 2008-05-24 22:07 <DIR> d-------- C:\Documents and Settings\ShoppingReport
2008-05-24 22:07 . 2008-05-24 22:07 <DIR> d-------- C:\Documents and Settings\Documents and Settings
2008-05-24 22:07 . 2008-05-24 22:07 <DIR> d-------- C:\Documents and Settings\Application Data
2008-05-24 22:07 . 2008-05-24 22:07 <DIR> d-------- C:\Application Data
2008-05-24 20:54 . 2008-05-24 20:54 155 --a------ C:\345543.bat
2008-05-23 16:23 . 2008-05-23 16:23 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-23 16:22 . 2008-05-23 16:23 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Program Files\Real
2008-05-23 16:22 . 2008-05-23 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-05-18 17:11 . 2008-05-18 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-05-18 16:49 . 2008-05-18 17:24 37 --a------ C:\WINDOWS\marscam.ini
2008-05-18 16:25 . 2008-05-18 16:54 62 --a------ C:\WINDOWS\ALBUM.INI
2008-05-18 16:04 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-18 15:41 . 2006-01-06 15:53 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-05-18 15:41 . 2006-01-06 15:52 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-05-18 15:41 . 2006-01-06 15:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-05-15 12:23 . 2008-05-15 12:23 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 18:31 --------- d-----w C:\Program Files\Yahoo!
2008-06-08 17:22 --------- d-----w C:\Program Files\Java
2008-05-23 21:20 --------- d-----w C:\Program Files\MSN Messenger
2008-05-18 22:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 22:19 --------- d-----w C:\Program Files\LimeWire
2008-05-03 15:31 --------- d-----w C:\Program Files\Microsoft Games
2008-05-03 15:31 --------- d-----w C:\Program Files\directx
2008-05-01 17:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-29 00:52 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-22 23:46 --------- d-----w C:\Program Files\MySpace
2008-04-16 01:07 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-04-15 13:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-27 20:27 51 ----a-w C:\xmp.bat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\DllCache\msjint40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\DllCache\win32k.sys
2008-03-13 09:46 7,649 ----a-w C:\WINDOWS\system32\mywehit.ini.tmp
2008-03-12 14:23 27,520 --sha-r C:\WINDOWS\system32\wicheck080311.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:42 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 10:11 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-09-01 03:00 388608 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-09-01 03:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPjkl]
awtrPjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvwu]
byxyvwu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjifg]
mljjifg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRJyYp]
ssqRJyYp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnolIC]
vtUnolIC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusttt]
vtusttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvtrq]
xxyvtrq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cjP51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diN62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX40.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Sheila Wells^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Sheila Wells^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXPFixer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f093aab9]
C:\WINDOWS\system32\ymdxtfoc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 10:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 08:38 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-04-15 20:07 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
--a------ 2003-06-10 20:52 380928 C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
--a------ 2003-06-10 20:52 122880 C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-09 23:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
--a------ 2007-12-06 06:58 1069920 C:\Program Files\Search Settings\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 09:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

S0 cjP51;cjP51;C:\WINDOWS\system32\Drivers\cjP51.sys []
S0 diN62;diN62;C:\WINDOWS\system32\Drivers\diN62.sys []
S0 nsX40;nsX40;C:\WINDOWS\system32\Drivers\nsX40.sys []
S1 atmarpcc;atmarpcc;C:\WINDOWS\system32\drivers\atmarpcc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 15:06:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-12 19:00:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 14:01:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wwSecure.exe
.
**************************************************************************
.
Completion time: 2008-06-12 14:06:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 19:06:03

Pre-Run: 61,888,557,056 bytes free
Post-Run: 61,804,425,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

272 --- E O F --- 2008-06-12 18:57:08

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 June 2008 - 02:34 PM

Very nice work indeed. :thumbsup:

If you will,upload the file below to http://www.uploadmalware.com

C:\WINDOWS\system32\wicheck080311.exe

Its probobaly hidden so make windows show hidden files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

See if there is anything in these 2 folders??

C:\Documents and Settings\Administrator\ff_temp
C:\Documents and Settings\Administrator\7zS188F.tmp

If so,let me have a brief idea of what each contains,if there is nothing inside them,delete them.

Copy the text below to notepad and save it to the desktop with the name CFScript

Files::
C:\345543.bat
C:\WINDOWS\system32\f093b837
C:\WINDOWS\system32\ymdxtfoc.dll
C:\WINDOWS\system32\mywehit.ini.tmp
C:\WINDOWS\system32\wicheck080311.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrPjkl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvwu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjifg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRJyYp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnolIC]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusttt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvtrq]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cjP51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\diN62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsX40.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXPFixer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f093aab9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
Driver::
cjP51
diN62
nsX40
atmarpcc

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#6 bogey313

bogey313
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 June 2008 - 03:35 PM

F-Secure report...... HiJack to follow.....

Scanning Report
Thursday, June 12, 2008 14:56:42 - 15:32:37
Computer name: 83C7DC5311824F4
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 6 malware found
RiskTool.Win32.HideWindows (spyware)
System
RiskTool.Win32.PsKill (spyware)
System
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Delf (virus)
System
Trojan-Spy.Win32.Pophot (virus)
System
Trojan-Spy.Win32.Pophot.ahv (virus)
C:\WINDOWS\SYSTEM32\WICHECK080311.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 25215
System: 3141
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 6
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{D09A8F17-6C53-4093-9211-20B4EBB30553}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-06-12
F-Secure AVP: 7.0.171, 2008-06-12
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.





Hijack scan........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:21 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?a570c83ca05e485c9d0f7103f0dc29e9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?a570c83ca05e485c9d0f7103f0dc29e9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B4A78D29-52B1-4A7B-BAC0-1471BEDF9836} - http://xscanner.shredderscan.com/setup/webinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: awtrPjkl - awtrPjkl.dll (file missing)
O20 - Winlogon Notify: byxyvwu - byxyvwu.dll (file missing)
O20 - Winlogon Notify: mljjifg - mljjifg.dll (file missing)
O20 - Winlogon Notify: ssqRJyYp - ssqRJyYp.dll (file missing)
O20 - Winlogon Notify: vtUnolIC - vtUnolIC.dll (file missing)
O20 - Winlogon Notify: vtusttt - vtusttt.dll (file missing)
O20 - Winlogon Notify: xxyvtrq - xxyvtrq.dll (file missing)
O21 - SSODL: BootRunOnce - {cafcd1cd-1d74-4e5e-a768-18906e785502} - (no file)
O22 - SharedTaskScheduler: calpastatin - {a0efe2fe-7249-4403-a00b-8be108617c75} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7163 bytes

Edited by bogey313, 12 June 2008 - 03:37 PM.


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 June 2008 - 04:14 PM

Lets see how the last CFScript I posted for you to use does on the machine,we can clean up the leftovers afterwards. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users