Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / Agent.nsg (?) Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 atcline27

atcline27

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 13 July 2008 - 01:55 PM

Hello! the other day I apparently infected my laptop with virtumonde and Nod32 was detecting a win32 Agent.nsg trojan. After doing a bunch of research on your board i downloaded a couple of proggies and attempted to clean the infection myself. I think I got most of it but I just want to make sure that I'm clean.

Here's my Kapersky:

Sunday, July 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 13, 2008 11:36:23
Records in database: 948174


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 64456
Threat name 8
Infected objects 14
Suspicious objects 0
Duration of the scan 02:55:37

File name Threat name Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\DARCIC~1\LOCALS~1\Temp\mirc63.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

C:\Deckard\System Scanner\backup\DOCUME~1\DARCIC~1\LOCALS~1\Temp\NERO14768\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

C:\Deckard\System Scanner\backup\DOCUME~1\DARCIC~1\LOCALS~1\Temp\Rar$EX13.359\Nero.v8.3.2.1. oothe\keygen.EXE Infected: Trojan.Win32.Monder.gen 1

C:\Deckard\System Scanner\backup\DOCUME~1\DARCIC~1\LOCALS~1\Temp\Rar$EX13.359\Nero.v8.3.2.1. oothe\Nero-8.3.2.1_eng_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

C:\Documents and Settings\Darci Cline\Local Settings\Temporary Internet Files\Content.IE5\4AD9ECPS\0902[1].dll Infected: Trojan-Downloader.Win32.Delf.kdl 1

C:\Documents and Settings\Darci Cline\Local Settings\Temporary Internet Files\Content.IE5\90IJCLFR\kb671231[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aakq 1

C:\Program Files\eMule\Incoming\(Album) Sarah Brightman - Classics.zip Infected: Exploit.HTML.CodeBaseExec 1

C:\Program Files\eMule\Incoming\Nero 8 Ultra Edition 8.3.2.1 + Keygen.7z Infected: Trojan.Win32.Monder.gen 1

C:\Program Files\eMule\Incoming\Nero 8 Ultra Edition 8.3.2.1 + Keygen.7z Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

C:\Program Files\ESET\infected\UQZUY0CA.NQF Infected: Rootkit.Win32.Podnuha.tg 1

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

C:\VundoFix Backups\faxqyofc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.aakq 1

C:\VundoFix Backups\njxsaspa.dll.bad Infected: Trojan-Downloader.Win32.Delf.kdl 1

The selected area was scanned.



I already ditched the Sarah Brightman and Nero .Rars.

Here's my Dss

Deckard's System Scanner v20071014.68
Run by Darci Cline on 2008-07-13 05:38:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-07-13 09:38:45 UTC - RP15 - Deckard's System Scanner Restore Point
6: 2008-07-13 08:19:58 UTC - RP14 - Removed Java™ 6 Update 6
5: 2008-07-13 08:18:50 UTC - RP13 - Removed J2SE Runtime Environment 5.0 Update 2
4: 2008-07-13 08:15:16 UTC - RP12 - Installed SUPERAntiSpyware Free Edition
3: 2008-07-12 09:42:12 UTC - RP11 - Installed Nero 8


-- First Restore Point --
1: 2008-07-12 09:28:53 UTC - RP9 - Removed Windows Vista Upgrade Advisor


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 8.18 GiB (less than 15%) free.


-- HijackThis (run as Darci Cline.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:26 AM, on 7/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Darci Cline\Desktop\dss.exe
C:\DOCUME~1\DARCIC~1\Desktop\Darci Cline.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276571607
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276549310
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O24 - Desktop Component 0: (no name) - http://www.frvade.com/no/screen2.jpg

--
End of file - 8464 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\DARCIC~1\Desktop\backups\) ------------

backup-20080713-052056-199 O2 - BHO: {61e03307-e32b-2c29-f6e4-f0ef127cc767} - {767cc721-fe0f-4e6f-92c2-b23e70330e16} - C:\WINDOWS\system32\uprqnr.dll (file missing)
backup-20080713-052056-783 O2 - BHO: (no name) - {541CB8A7-1590-40D6-A201-8D28ACF6B883} - C:\WINDOWS\system32\njxsaspa.dll (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>

S0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S4 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S4 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-13 05:40:00 434 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F5ED2F28-9336-4692-AB9F-35A315B3657A}.job
2008-05-06 08:43:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2020-12-25 21:32:28 114688 --a------ C:\WINDOWS\system32\nms32.dll
2020-12-25 21:32:27 245760 --a------ C:\WINDOWS\system32\imon.dll
2020-12-25 21:32:27 300048 --a------ C:\WINDOWS\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
2008-07-13 04:52:45 0 d-------- C:\VundoFix Backups
2008-07-13 04:32:34 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Malwarebytes
2008-07-13 04:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 04:32:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 04:15:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 04:15:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-13 04:15:27 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\SUPERAntiSpyware.com
2008-07-12 06:12:57 0 d-------- C:\Program Files\NeroInstall.bak
2008-07-12 06:08:13 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Nero
2008-07-12 05:49:37 0 d-------- C:\Program Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-12 05:18:06 281088 -----n--- C:\WINDOWS\system32\qoMcaxXQ.dll
2008-07-10 05:08:55 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 04:57:51 0 d-------- C:\WINDOWS\system32\scripting
2008-07-10 04:57:51 0 d-------- C:\WINDOWS\l2schemas
2008-07-10 04:57:50 0 d-------- C:\WINDOWS\system32\en
2008-07-10 04:57:50 0 d-------- C:\WINDOWS\system32\bits
2008-07-10 04:54:06 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-10 04:48:58 0 d-------- C:\WINDOWS\network diagnostic
2008-07-10 04:41:24 0 d-------- C:\WINDOWS\EHome
2008-07-10 01:44:29 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Uniblue
2008-07-10 01:44:20 0 d-------- C:\Program Files\Uniblue
2008-07-10 01:42:54 0 d-------- C:\Program Files\Debugging Tools for Windows (x86)
2008-07-09 05:59:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-09 05:41:18 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-09 05:41:18 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-09 05:41:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-09 05:41:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-09 05:41:17 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-09 05:41:17 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-09 05:41:17 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-09 05:41:17 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-09 05:41:15 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-03 03:47:41 0 d-------- C:\Program Files\ARAR


-- Find3M Report ---------------------------------------------------------------

2008-07-13 04:20:40 0 d-------- C:\Program Files\Java
2008-07-13 04:14:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files
2008-07-12 05:12:06 0 d-------- C:\Program Files\eMule
2008-07-10 04:58:22 0 d-------- C:\Program Files\Messenger
2008-07-10 04:57:49 0 d-------- C:\Program Files\Movie Maker
2008-07-10 04:53:34 0 d-------- C:\Program Files\Windows NT
2008-07-10 04:01:20 8192 --ahs---- C:\Program Files\Thumbs.db
2008-07-10 03:21:22 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Skype
2008-07-09 06:16:15 0 d-------- C:\Program Files\Google
2008-07-09 05:47:23 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\skypePM
2008-05-13 01:27:17 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [04/11/2005 06:21 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/25/2020 09:33 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [08/13/2004 08:05 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/10/2005 05:21 AM]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [10/06/2005 06:12 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 09:05 PM]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [07/20/2005 04:39 PM]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [09/26/2007 07:05 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [02/28/2008 09:59 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 05:42 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/22/2008 02:53 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [02/28/2008 05:07 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 07/20/2005 04:34 PM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote Software 7.lnk
backup=C:\WINDOWS\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^MySurvey Messenger.lnk]
backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^WootAgent.lnk]
backup=C:\WINDOWS\pss\WootAgent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\75a17511]
rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7692468d]
Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebLink]
C:\Program Files\Softex\Weblink\WebLink.exe /boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WootAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-13 05:44:54 ------------



See anything fishy left? Thanks for yer help!

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:07:55 AM

Posted 03 August 2008 - 09:21 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 atcline27

atcline27
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 August 2008 - 04:53 AM

As Per your request....

Main, extra, and kapersky will be the order

Deckard's System Scanner v20071014.68
Run by Darci Cline on 2008-08-06 01:56:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-08-06 05:56:52 UTC - RP41 - Deckard's System Scanner Restore Point
22: 2008-08-05 16:40:19 UTC - RP40 - System Checkpoint
21: 2008-08-04 14:54:05 UTC - RP39 - System Checkpoint
20: 2008-08-03 14:39:27 UTC - RP38 - System Checkpoint
19: 2008-08-02 12:39:27 UTC - RP37 - System Checkpoint


-- First Restore Point --
1: 2008-07-14 08:20:51 UTC - RP19 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Darci Cline.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:57, on 2008-08-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Darci Cline\desktop\spyware stuff\dss.exe
C:\DOCUME~1\DARCIC~1\Desktop\SPYWAR~1\DARCIC~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{82CA0~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{82CA0~1\reboot.ini -l0x9
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276571607
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276549310
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O24 - Desktop Component 0: (no name) - http://www.frvade.com/no/screen2.jpg

--
End of file - 8763 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\DARCIC~1\Desktop\SPYWAR~1\backups\) ---

backup-20080713-052056-199 O2 - BHO: {61e03307-e32b-2c29-f6e4-f0ef127cc767} - {767cc721-fe0f-4e6f-92c2-b23e70330e16} - C:\WINDOWS\system32\uprqnr.dll (file missing)
backup-20080713-052056-783 O2 - BHO: (no name) - {541CB8A7-1590-40D6-A201-8D28ACF6B883} - C:\WINDOWS\system32\njxsaspa.dll (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>

S0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 JavaQuickStarterService (Java Quick Starter) - "c:\program files\java\jre6\bin\jqs.exe" -service -config "c:\program files\java\jre6\lib\deploy\jqs\jqs.conf" <Not Verified; Sun Microsystems, Inc.; Java™ Platform SE 6 U10>
S2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S4 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S4 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 700)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2005-07-20 16:34:34 40960 --a------ C:\Program Files\Softex\OmniPass\OPXPGina.dll

C:\WINDOWS\system32\svchost.exe (pid 1056)
2020-12-25 21:32:04 245760 --a------ C:\WINDOWS\system32\imon.dll

C:\WINDOWS\system32\svchost.exe (pid 1640)
2007-01-18 03:35:40 131072 --a------ C:\Program Files\Hp\Digital Imaging\bin\hpqddsvc.dll <Not Verified; Hewlett-Packard Co.; hp digital imaging - hp all-in-one series>
2007-01-18 03:35:40 184320 --a------ C:\Program Files\Hp\Digital Imaging\bin\hpqddcmn.dll <Not Verified; Hewlett-Packard Co.; hp digital imaging - hp all-in-one series>

C:\WINDOWS\explorer.exe (pid 1436)
2005-07-20 16:33:56 36864 --a------ C:\Program Files\Softex\OmniPass\scuredll.dll
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2005-05-10 19:08:44 124416 --a------ C:\Program Files\WinRAR\RarExt.dll
2005-07-20 16:34:26 217088 --a------ C:\Program Files\Softex\OmniPass\OPShellE.dll <Not Verified; Softex Incorporated; OPShellE Module>
2005-07-20 16:34:10 192512 --a------ C:\Program Files\Softex\OmniPass\OPComm.dll <Not Verified; ; OPComm Dynamic Link Library>
2005-07-20 16:34:14 131072 --a------ C:\Program Files\Softex\OmniPass\OPFScure.dll <Not Verified; Softex Incorporated; OPFScure Dynamic Link Library>
2020-12-25 21:32:03 57344 --a------ C:\Program Files\ESET\nodshex.dll
2020-12-25 21:32:04 90112 --a------ C:\Program Files\ESET\pu_nod32.dll
2005-09-23 08:28:38 83456 --a------ C:\WINDOWS\system32\dfshim.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 08:28:52 270848 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2020-12-25 21:32:04 245760 --a------ C:\WINDOWS\system32\imon.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-08-06 01:55:00 434 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{F5ED2F28-9336-4692-AB9F-35A315B3657A}.job
2008-08-05 08:43:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2020-12-25 21:32:28 114688 --a------ C:\WINDOWS\system32\nms32.dll
2020-12-25 21:32:27 245760 --a------ C:\WINDOWS\system32\imon.dll
2020-12-25 21:32:27 300048 --a------ C:\WINDOWS\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
2008-07-21 20:04:02 0 d-------- C:\Program Files\3ivx
2008-07-19 03:57:27 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-15 03:23:48 0 d-------- C:\WINDOWS\LastGood
2008-07-15 03:23:43 0 d-------- C:\Program Files\Secunia
2008-07-14 03:48:35 6736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS <Not Verified; Sysinternals - www.sysinternals.com; Process Explorer>
2008-07-13 04:32:34 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Malwarebytes
2008-07-13 04:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 04:32:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 04:15:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 04:15:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-13 04:15:27 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\SUPERAntiSpyware.com
2008-07-12 06:12:57 0 d-------- C:\Program Files\NeroInstall.bak
2008-07-12 06:08:13 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Nero
2008-07-12 05:49:37 0 d-------- C:\Program Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-10 05:08:55 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 04:57:51 0 d-------- C:\WINDOWS\system32\scripting
2008-07-10 04:57:51 0 d-------- C:\WINDOWS\l2schemas
2008-07-10 04:57:50 0 d-------- C:\WINDOWS\system32\en
2008-07-10 04:57:50 0 d-------- C:\WINDOWS\system32\bits
2008-07-10 04:54:06 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-10 04:48:58 0 d-------- C:\WINDOWS\network diagnostic
2008-07-10 04:41:24 0 d-------- C:\WINDOWS\EHome
2008-07-10 01:44:29 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Uniblue
2008-07-10 01:44:20 0 d-------- C:\Program Files\Uniblue
2008-07-10 01:42:54 0 d-------- C:\Program Files\Debugging Tools for Windows (x86)
2008-07-09 05:59:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-09 05:41:18 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-09 05:41:18 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-09 05:41:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-09 05:41:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-09 05:41:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-09 05:41:17 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-09 05:41:17 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-09 05:41:17 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-09 05:41:17 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-09 05:41:17 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-09 05:41:15 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-07-31 03:27:44 0 d-------- C:\Program Files\eMule
2008-07-21 20:03:37 0 d-------- C:\Program Files\muvee Technologies
2008-07-21 20:03:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-14 04:27:50 0 d-------- C:\Program Files\SpywareBlaster
2008-07-13 05:54:54 0 d-------- C:\Program Files\Java
2008-07-13 04:14:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files
2008-07-10 04:58:22 0 d-------- C:\Program Files\Messenger
2008-07-10 04:57:49 0 d-------- C:\Program Files\Movie Maker
2008-07-10 04:53:34 0 d-------- C:\Program Files\Windows NT
2008-07-10 04:01:20 8192 --ahs---- C:\Program Files\Thumbs.db
2008-07-10 03:21:22 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Skype
2008-07-09 06:16:15 0 d-------- C:\Program Files\Google
2008-07-09 05:47:23 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\skypePM
2008-07-03 03:47:49 0 d-------- C:\Program Files\ARAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-07-13 05:54 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-07-13 05:55 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2020-12-25 21:33]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 20:05]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2005-10-06 18:12]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2005-07-20 16:39]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-04-14 05:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 02:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"InstallShieldSetup"=C:\PROGRA~1\INSTAL~1\{82CA0~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{82CA0~1\reboot.ini -l0x9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2005-07-20 16:34 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote Software 7.lnk
backup=C:\WINDOWS\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^MySurvey Messenger.lnk]
backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^WootAgent.lnk]
backup=C:\WINDOWS\pss\WootAgent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\75a17511]
rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7692468d]
Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebLink]
C:\Program Files\Softex\Weblink\WebLink.exe /boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WootAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a319539-51e9-11dd-9391-0014a52043a4}]
AutoRun\command- E:\system\viewer\FlipVideoforPC.exe
Flip Video for PC\command- E:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - PSI



-- End of Deckard's System Scanner: finished at 2008-08-06 01:58:59 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 1022.48 MiB / 519.68 MiB
Pagefile Memory (total/avail): 2460.85 MiB / 1695.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1895.96 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 14.35 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8025GAS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Darci Cline\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LEXIFACE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Darci Cline
LOGONSERVER=\\LEXIFACE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Nero\Lib\;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp
USERDOMAIN=LEXIFACE
USERNAME=Darci Cline
USERPROFILE=C:\Documents and Settings\Darci Cline
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Darci Cline (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx MPEG-4 5.0.1 Decoder (remove only) --> "C:\Program Files\3ivx\3ivx MPEG-4 5.0.1 Decoder\uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Advanced RAR Repair v1.2 --> C:\PROGRA~1\ARAR\UNWISE.EXE C:\PROGRA~1\ARAR\INSTALL.LOG
AltoMP3 Gold 5.06 --> "C:\Program Files\AltoMP3 Gold\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitTorrent 5.0.9 --> "C:\Program Files\BitTorrent\uninstall.exe"
Blaze Media Pro --> "C:\Documents and Settings\All Users\Application Data\{0727B42B-1697-465F-8CDC-53A1EA7110EB}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE
Conexant AC-Link Audio --> CIAunwdm.exe
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3085103C\HXFSETUP.EXE -U -Icpl30855.inf
Debugging Tools for Windows (x86) --> MsiExec.exe /I{1CD0C3C5-809D-4CFC-904A-1B67C6243637}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Documents and Settings\Darci Cline\Desktop\HijackThis.exe" /uninstall
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet 8.0 Software --> C:\Program Files\HP\Digital Imaging\{58535A90-1788-44f5-80BB-CFF62D9CE6D5}\setup\hpzscr01.exe -datfile hphscr13.dat -showdisconnect -forcereboot
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Pavillion zv6000 User Guides --> C:\PROGRA~1\HPQ\UNWISE.EXE C:\PROGRA~1\HPQ\INSTALL.LOG
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP Wireless Assistant 1.01 A3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
HPSSupply --> MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 10 --> MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
Logitech Harmony Remote Software 7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe" -l0x9 -removeonly
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1 --> "C:\WINDOWS\$NtUninstallWdf01001$\spuninst\spuninst.exe"
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Microsoft Xbox 360 Accessories 1.1 --> MsiExec.exe /X{66F0AC35-4805-44BC-A3D4-347D4196F9B3}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Darci Cline\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (1.5) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.5 (en-US)"
muvee autoProducer 4.0 - SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe" -l0x9
muvee Plugin 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82CA0A0C-A3EC-4167-B694-909205B2EDEC}\setup.exe" -l0x9
MySurvey Messenger --> C:\PROGRA~1\MYSURV~1\UNWISE.EXE C:\PROGRA~1\MYSURV~1\INSTALL.LOG
Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Noble Poker --> "C:\WINDOWS\Noble Poker setup.exe" /uninstall
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\setup.exe" -l0x9
PConPoint v3.5 --> "C:\Program Files\PConPoint\unins000.exe"
Quick Launch Buttons 5.10 B3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Secunia PSI (RC3) --> "C:\Program Files\Secunia\PSI (RC3)\uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Serials 2005 --> "C:\Program Files\Serials 2005\uninstall.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy 1.4 RC2b --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall Pro --> MsiExec.exe /X{BF448A52-C83E-455D-B5D3-FD9E964C9419}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab --> C:\Program Files\Common Files\SystemRequirementsLab\Uninstall.exe
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{96C0E73B-8813-4F4A-9EA1-D407C27AA1A1} /l1033
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AE}
UserGuides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02E22217-0E96-4C3F-B831-83AA942B7715}\setup.exe" -l0x9
V CAST Music Manager --> C:\PROGRA~1\VERIZO~1\VCASTM~1\Setup.exe /remove /q0
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type20596 / Error
Event Submitted/Written: 08/02/2008 10:48:21 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.5450.4, faulting module mshtml.dll, version 7.0.5450.4, fault address 0x000af42e.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type20516 / Error
Event Submitted/Written: 08/01/2008 05:17:47 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iesetup.exe, version 8.0.6001.17184, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20515 / Error
Event Submitted/Written: 08/01/2008 05:17:47 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iesetup.exe, version 8.0.6001.17184, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20484 / Error
Event Submitted/Written: 07/31/2008 02:18:06 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application AcroRd32.exe, version 7.0.5.172, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20324 / Error
Event Submitted/Written: 07/26/2008 02:41:33 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.5450.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4758 / Error
Event Submitted/Written: 08/06/2008 01:55:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service hpqcxs08 with arguments ""
in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Event Record #/Type4757 / Error
Event Submitted/Written: 08/06/2008 01:51:15 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service hpqcxs08 with arguments ""
in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Event Record #/Type4756 / Error
Event Submitted/Written: 08/06/2008 01:49:43 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service hpqcxs08 with arguments ""
in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Event Record #/Type4755 / Error
Event Submitted/Written: 08/06/2008 01:49:34 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service hpqcxs08 with arguments ""
in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Event Record #/Type4754 / Error
Event Submitted/Written: 08/06/2008 01:47:08 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service hpqcxs08 with arguments ""
in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}



-- End of Deckard's System Scanner: finished at 2008-08-06 01:58:59 ------------

--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 76269
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:45:14


File name / Threat name / Threats count
C:\Program Files\eMule\Incoming\(Album) Sarah Brightman - Classics.zip Infected: Exploit.HTML.CodeBaseExec 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.


Thanks for the reply!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 07 August 2008 - 09:00 AM

Hi atcline27,


I'm farbar and I'm going to assist you with the problem. I'm currently reviewing your log. I'll reply as soon as possible.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 08 August 2008 - 11:48 AM

Hi again,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Emule and BitTorrent ). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Removal Instructions
  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • Click Exit on the Main menu to close the program.

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:How to see hidden files in Windows

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the file(s) and folder(s) in bold (if present):

    C:\WINDOWS\system32\oqdpckod.dll
    C:\Program Files\Online Services\AOL90US\comps\toolbar

    Also empty all p2p (eMule, BitTorrent, etc...) download folders. They might contain infected applications. Please avoid using these p2p applications until the system is clean. Make sure this file is removed:

    C:\Program Files\eMule\Incoming\(Album) Sarah Brightman - Classics.zip

  • I see from your log you have disabled some startup items by using System Configuration Utility. I know many people use and advise use of System Configuration Utility to disable startup items. But the utility is designed to use for diagnostic purposes. There are good free software to use for this purpose.

    The log we made shows that you have disabled a malware startup items. The item does no harm at the moment but in case you or somebody els again enabled the item the malware might become active again. To make sure this is not going to happen we are going to remove the entries with Hijackthis.

    Go to Start > Run
    • In the run box type: msconfig to open up System Configuration Utility.
    • Click on startup tab.
    • Find 75a17511 and BM7692468d
    • Uncheck the box next to them.
    • Press Apply and Close .
    • A Windows pops up select "Exit Without Reboot".
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [75a17511]rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b
    O4 - HKLM\..\Run: [BM7692468d]Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • We need to repair the file associations
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /daft

    • Click OK.
    • Click OK to the prompt from Deckard's System Scanner.
    • Click Scan.
    • Place a tick next to the following entries (if they are present):
      .cpl
    • Click Fix
    • Reboot and repeat the procedure just to make sure there is no entry when you click Scan.
  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.


    In your next reply:
    • The scan results of F-Secure.
    • A fresh DSS log. This time DSS creates just the main.txt


#6 atcline27

atcline27
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 11 August 2008 - 02:29 AM

Unfortunately I was unable to complete the f-secure scan... it just kept crashing my internet explorer.

I found none of the files (other than the .rar) that you referred to and only had to delete the BHO line in hijack this. I guess I got everything else on my own. the .cpl files were fixed as well. Was not able to locate any of the items in the msconfig startup tab you mentioned either. I hope this DSS scan is enough info for you.

Deckard's System Scanner v20071014.68
Run by Darci Cline on 2008-08-11 03:22:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Darci Cline.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:22, on 2008-08-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Darci Cline\Desktop\Spyware Stuff\dss.exe
C:\DOCUME~1\DARCIC~1\Desktop\SPYWAR~1\DARCIC~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{82CA0~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{82CA0~1\reboot.ini -l0x9
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276571607
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205276549310
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O24 - Desktop Component 0: (no name) - http://www.frvade.com/no/screen2.jpg

--
End of file - 9042 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2020-12-25 21:32:28 114688 --a------ C:\WINDOWS\system32\nms32.dll
2020-12-25 21:32:27 245760 --a------ C:\WINDOWS\system32\imon.dll
2020-12-25 21:32:27 300048 --a------ C:\WINDOWS\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
2008-08-11 03:18:39 0 d-------- C:\fsaua.data
2008-08-07 08:59:06 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-21 20:04:02 0 d-------- C:\Program Files\3ivx
2008-07-19 03:57:27 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-15 03:23:48 0 d-------- C:\WINDOWS\LastGood
2008-07-15 03:23:43 0 d-------- C:\Program Files\Secunia
2008-07-14 03:48:35 6736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS <Not Verified; Sysinternals - www.sysinternals.com; Process Explorer>
2008-07-13 04:32:34 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Malwarebytes
2008-07-13 04:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 04:32:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 04:15:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 04:15:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-13 04:15:27 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\SUPERAntiSpyware.com
2008-07-12 06:12:57 0 d-------- C:\Program Files\NeroInstall.bak
2008-07-12 06:08:13 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Nero
2008-07-12 05:49:37 0 d-------- C:\Program Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files\Nero
2008-07-12 05:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero


-- Find3M Report ---------------------------------------------------------------

2008-08-09 08:42:26 0 d-------- C:\Program Files\eMule
2008-08-07 08:59:55 0 d-------- C:\Program Files\Google
2008-07-21 20:03:37 0 d-------- C:\Program Files\muvee Technologies
2008-07-21 20:03:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-14 04:27:50 0 d-------- C:\Program Files\SpywareBlaster
2008-07-13 05:54:54 0 d-------- C:\Program Files\Java
2008-07-13 04:14:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 05:49:36 0 d-------- C:\Program Files\Common Files
2008-07-10 04:58:22 0 d-------- C:\Program Files\Messenger
2008-07-10 04:57:49 0 d-------- C:\Program Files\Movie Maker
2008-07-10 04:53:34 0 d-------- C:\Program Files\Windows NT
2008-07-10 04:01:20 8192 --ahs---- C:\Program Files\Thumbs.db
2008-07-10 03:21:22 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Skype
2008-07-10 01:44:29 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\Uniblue
2008-07-10 01:44:20 0 d-------- C:\Program Files\Uniblue
2008-07-10 01:43:11 0 d-------- C:\Program Files\Debugging Tools for Windows (x86)
2008-07-09 05:47:23 0 d-------- C:\Documents and Settings\Darci Cline\Application Data\skypePM
2008-07-03 03:47:49 0 d-------- C:\Program Files\ARAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-07-13 05:54 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-07-13 05:55 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 18:21]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2020-12-25 21:33]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 20:05]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2005-10-06 18:12]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2005-07-20 16:39]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-04-14 05:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 02:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"InstallShieldSetup"=C:\PROGRA~1\INSTAL~1\{82CA0~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{82CA0~1\reboot.ini -l0x9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2005-07-20 16:34 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote Software 7.lnk
backup=C:\WINDOWS\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^MySurvey Messenger.lnk]
backup=C:\WINDOWS\pss\MySurvey Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darci Cline^Start Menu^Programs^Startup^WootAgent.lnk]
backup=C:\WINDOWS\pss\WootAgent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\75a17511]
rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM7692468d]
Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebLink]
C:\Program Files\Softex\Weblink\WebLink.exe /boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WootAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a319539-51e9-11dd-9391-0014a52043a4}]
AutoRun\command- E:\system\viewer\FlipVideoforPC.exe
Flip Video for PC\command- E:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - PSI



-- End of Deckard's System Scanner: finished at 2008-08-11 03:23:00 ------------


Thanks for all your help.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 11 August 2008 - 12:23 PM

Hi again,

Thanks for the feedback on how it went.

The files were indeed removed if you could not find them.
But we have to get rid of those disabled registry items, this time I have changed the instruction. Find those entries and enable them as instructed. The previous instruction was not precise.
  • We have to try this again with the following instruction.
    Go to Start > Run
    • In the run box type: msconfig to open up System Configuration Utility.
    • Click on startup tab.
    • Find the following entries:

      Under Startup Item 75a17511 it points to rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b under Command tab.
      Under Startup Item BM7692468d it points to Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s under Command tab.

      Note: you might have to move the separator between Command and Location in order to be able to see the full path to the files.
    • Put a checkmark in the the box next to them.
    • Press Apply and Close .
    • A Windows pops up select "Exit Without Reboot".
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [75a17511]rundll32.exe "C:\DOCUME~1\DARCIC~1\LOCALS~1\Temp\twbbsvfd.dll",b
    O4 - HKLM\..\Run: [BM7692468d]Rundll32.exe "C:\WINDOWS\system32\oqdpckod.dll",s


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Try once more to run F-Secure but this time turn-off the real-time protection of your Antivirus and see if you can run it. Turn on the Antivirus real-time protection immediately after finishing the scan. The reason we run this program is that Nod32 had removed a rootkit malware which showed up on the Kaspersky scan log:

    C:\Program Files\ESET\infected\UQZUY0CA.NQF Infected: Rootkit.Win32.Podnuha.tg 1

    We want to make sure there is nothing left on your computer as the rootkits are able to hide themselves from Hijackthis or DSS log.


    In your next reply:
    • The scan results of F-Secure.
    • A fresh DSS log. This time DSS creates just the main.txt


#8 atcline27

atcline27
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 13 August 2008 - 03:36 AM

sorry man the f-secure is no bueno. I disabled Nod32 and it is still crashing IE. I got the 2 entries you were referring to though. Is there a different online scanner you would like me to try before I post the DSS log again?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 13 August 2008 - 11:38 AM

Looks something is holding up F-secure. And we need to run one scanner to make sure you are clean.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully.

You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Instruction to install Recovery Console :

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.


Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image


  • When the tool is finished, it will produce a report for you.
Please copy and paste the content of C:\ComboFix.txt along with a Hijackthis log for further review.



In your next reply:
  • The Cobofix log.
  • A fresh fresh Hijackthis log.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 22 August 2008 - 03:56 PM

This thread will now be closed due to lack of activity.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users