Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"warning: Spyware Threat Has Been Detected On Your Pc"


  • This topic is locked This topic is locked
26 replies to this topic

#1 iSayChris

iSayChris

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 17 July 2008 - 10:32 PM

hello, recently i downloaded something and infected my computer and when i scan my computer using AVG, it says found a Adware.ActivityLogger, Trojan.downloader, and some other stuff. when i heal the adware.activitylogger, it keeps coming back. Also i tryed to system restore to june 15 and then it said "system restore was incompleted, cannot restore to earlier time" and then i tryied to restore to june 14 but gave the same results. i deleted the hjt backups.

also my desktop wallpaper has been change to yellow and white box on black screen that says "Warning: Spyware threat has been detected on your PC". its giving me BSOD'S. also when i try to change my wallpaper, the desktop and screensaver button is not there when i go on display property. i also noticed this one screen saver that was created today. it was a blue screens screensaver and its from microsoft... i checked what it said and it said this "Bluescreen is a screen saver that not only authentically mimics a BSOD, but will simulate startup screens seen during a system boot." so i deleted it. i dont know how to remove the rest. please someone help me thanks.


DDS SCANS
Main.txt
Deckard's System Scanner v20071014.68
Run by Chris on 2008-07-17 21:05:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:29 PM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://uploadhosted.filefront.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9206 bytes

-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-14 22:22:18 0 dr-h----- C:\Documents and Settings\Chris\Recent
2008-07-13 02:27:13 0 d--h---c- C:\$AVG8.VAULT$
2008-07-13 02:10:56 0 d-------- C:\Program Files\AIM6
2008-07-13 02:01:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 02:01:20 0 d-------- C:\Program Files\AVG
2008-07-13 02:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 08:10:30 0 d-------- C:\WINDOWS\Prefetch
2008-07-12 07:57:14 0 d-------- C:\WINDOWS\system32\scripting
2008-07-12 07:57:12 0 d-------- C:\WINDOWS\l2schemas
2008-07-12 07:57:10 0 d-------- C:\WINDOWS\system32\en
2008-07-11 23:35:15 0 d-------- C:\Program Files\QuickTime
2008-07-09 16:21:38 49152 --a------ C:\WINDOWS\nswatchdog.exe
2008-07-09 00:16:51 0 d-------- C:\WINDOWS\.silabclient_store_32
2008-07-08 23:26:33 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-07 19:33:04 0 d-------- C:\Program Files\TouchStoneSoftware
2008-07-07 16:30:40 0 d------c- C:\Fraps
2008-07-03 10:00:39 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-07-01 10:59:13 0 d-------- C:\WINDOWS\nvidia icons
2008-07-01 10:52:48 0 d-------- C:\Documents and Settings\Chris\Application Data\SystemRequirementsLab
2008-07-01 06:47:25 23 --a------ C:\Documents and Settings\Chris\jagex_runescape_preferences.dat
2008-06-30 04:44:41 0 d------c- C:\PacSteamM
2008-06-28 15:08:19 0 d-------- C:\Documents and Settings\Chris\Application Data\DesktopSMS
2008-06-25 22:18:18 0 d-------- C:\Program Files\MSECache
2008-06-24 16:23:46 0 d-------- C:\WINDOWS\Logs
2008-06-24 16:08:27 0 d------c- C:\4be60b5db9081e090328b340
2008-06-22 08:31:25 0 d-------- C:\Program Files\Common Files\Thraex Software
2008-06-17 14:48:01 0 d-------- C:\Documents and Settings\Chris\Desktop


-- Find3M Report ---------------------------------------------------------------

2008-07-17 17:41:11 0 d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-07-17 13:05:30 0 d-------- C:\Documents and Settings\Chris\Application Data\LimeWire
2008-07-13 17:05:41 0 d-------- C:\Program Files\SwiftKit
2008-07-13 02:13:51 0 d-------- C:\Program Files\Viewpoint
2008-07-13 01:52:15 0 d-------- C:\Program Files\Java
2008-07-13 01:48:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-13 01:47:23 0 d-------- C:\Program Files\Common Files
2008-07-13 01:47:05 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-12 07:57:51 0 d-------- C:\Program Files\Messenger
2008-07-12 07:57:09 0 d-------- C:\Program Files\Movie Maker
2008-07-12 07:49:53 0 d-------- C:\Program Files\Windows NT
2008-07-08 23:28:08 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-01 10:53:39 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-30 15:37:17 0 d-------- C:\Program Files\StepMania
2008-06-26 23:28:29 0 d-------- C:\Documents and Settings\Chris\Application Data\Sony
2008-06-25 22:00:22 0 d-------- C:\Program Files\DivX
2008-06-25 17:53:00 0 d-------- C:\Documents and Settings\Chris\Application Data\Adobe
2008-06-17 14:41:46 0 d-------- C:\Documents and Settings\Chris\Application Data\Mozilla
2008-06-16 18:04:26 2539 --a------ C:\WINDOWS\mozver.dat
2008-06-16 00:53:01 0 d-------- C:\Program Files\Sony
2008-06-16 00:50:38 0 d-------- C:\Program Files\Sony Setup
2008-06-15 20:30:54 86932 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-15 20:29:00 0 d-------- C:\Program Files\Picasa2
2008-06-14 18:03:16 0 d-------- C:\Program Files\AIM
2008-05-30 15:02:10 0 d-------- C:\Program Files\Apple Software Update
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-17 18:53:15 0 d-------- C:\Program Files\America Online 9.0c
2008-05-17 18:53:15 0 d-------- C:\Program Files\America Online 9.0b
2008-05-17 17:44:58 0 d-------- C:\Program Files\America Online 9.0a
2008-05-17 17:43:02 0 d-------- C:\Program Files\Common Files\AOL
2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-07-17 21:07:55 ------------

















Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 510.98 MiB / 169.74 MiB
Pagefile Memory (total/avail): 1246.93 MiB / 916.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.44 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 15.64 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;%CLASSPATH%;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RALPH-NCDXW43SG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LANG=C
LOGONSERVER=\\RALPH-NCDXW43SG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Java\jdk1.6.0_01\bin;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Java\jre\bin;C:\Documents and Settings\Chris\My Documents\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=RALPH-NCDXW43SG
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mom
Dad
Chris (admin)
Ralph
Game Room
Jan (admin)
Administrator.RALPH-NCDXW43SG (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type21240 / Error
Event Submitted/Written: 07/17/2008 08:14:43 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type21202 / Warning
Event Submitted/Written: 07/17/2008 08:13:51 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type21198 / Error
Event Submitted/Written: 07/17/2008 07:11:42 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type21166 / Warning
Event Submitted/Written: 07/17/2008 07:10:50 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type21151 / Error
Event Submitted/Written: 07/17/2008 05:43:01 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3788 / Error
Event Submitted/Written: 07/17/2008 08:17:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type3773 / Error
Event Submitted/Written: 07/17/2008 07:12:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type3758 / Error
Event Submitted/Written: 07/17/2008 05:44:00 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type3741 / Error
Event Submitted/Written: 07/17/2008 05:36:19 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type3735 / Warning
Event Submitted/Written: 07/17/2008 03:35:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-17 20:21:08 ------------

Edited by iSayChris, 18 July 2008 - 04:00 AM.


BC AdBot (Login to Remove)

 


#2 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 19 July 2008 - 03:45 PM

EDIT: ok, i couldnt wait so i downloaded malwarebytes anti-malware software and it picked up 44 infections.
Things are running smooth now :thumbsup: , but i still think there are still more.

heres my mbam log
Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 3

1:31:20 PM 7/19/2008
mbam-log-7-19-2008 (13-31-20).txt

Scan type: Quick Scan
Objects scanned: 82857
Time elapsed: 1 hour(s), 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 37
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho.1 (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb02678.ietoolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb02678.ietoolbar.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb02678.tbsb02678 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb02678.tbsb02678.3 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Performanceoptimizer (Rogue.Performanceoptimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Performanceoptimizer (Rogue.Performanceoptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sellmosoft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sellmosoft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\kernelexe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\000050.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b148.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by iSayChris, 19 July 2008 - 03:46 PM.


#3 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 26 July 2008 - 12:58 AM

oh yeah, when i scan my computer using avg, finds adware.activitylogger and everytime i try to delete it, it keeps coming back. heres a pic :
Posted Image

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 26 July 2008 - 10:40 AM

Hello iSayChris,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.

Thanks and again sorry for the delay.

  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the run box:

    "%userprofile%\desktop\dss.exe" /config

  • Close all other open windows.
  • Click OK.
  • A window will now open. Click Check All and then click Scan!.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.

Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#5 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 26 July 2008 - 11:08 AM

hello farbar, thanks for helping me.
heres the dds logs.

Main.txt
Deckard's System Scanner v20071014.68
Run by Chris on 2008-07-26 08:58:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-07-26 15:59:13 UTC - RP904 - Deckard's System Scanner Restore Point
69: 2008-07-25 05:17:21 UTC - RP903 - System Checkpoint
68: 2008-07-24 03:17:25 UTC - RP902 - System Checkpoint
67: 2008-07-22 22:09:01 UTC - RP901 - System Checkpoint
66: 2008-07-21 21:30:18 UTC - RP900 - Installed Java™ 6 Update 7


-- First Restore Point --
1: 2008-06-09 02:39:29 UTC - RP835 - Installed Microsoft Visual C++ 2005 Redistributable


Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:35 AM, on 7/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\Desktop\runescape.exe
C:\Documents and Settings\All Users\Documents\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: http://uploadhosted.filefront.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8151 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080114-110309-256 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-122056-909 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-273 O4 - HKCU\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080114-183911-587 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-878 O4 - HKLM\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080317-212900-112 O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
backup-20080317-212900-726 O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
backup-20080317-212900-892 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080517-001546-953 O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
backup-20080615-200346-796 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080630-082539-823 O4 - HKLM\..\Run: [CardBoardFish-DesktopSender] C:\Documents and Settings\Chris\Desktop\Desktop SMS Sender\DesktopSMS.exe /systemtray
backup-20080708-231908-647 O4 - HKLM\..\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe
backup-20080708-231908-760 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080708-231908-867 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080709-162539-631 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-084248-568 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-095950-179 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-095951-431 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-122600-548 O4 - HKLM\..\Run: [PermissionResearch] c:\program files\permissionresearch\prmrsr.exe -boot
backup-20080717-122600-777 O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/p.../pr/prsetup.cab
backup-20080717-122603-660 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
backup-20080717-122604-641 O20 - Winlogon Notify: PermissionResearch - C:\Program Files\PermissionResearch\prls.dll
backup-20080717-122604-819 O20 - AppInit_DLLs: avgrsstx.dll,c:\program files\permissionresearch\prai.dll
backup-20080717-123050-769 O20 - AppInit_DLLs: c:\program files\permissionresearch\prai.dll
backup-20080717-131724-979 O4 - HKLM\..\Run: [lphc790j0e9a7] C:\WINDOWS\system32\lphc790j0e9a7.exe
backup-20080721-090306-327 O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
backup-20080721-090306-412 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080721-090306-547 O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
backup-20080721-090306-597 O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
backup-20080721-090306-627 O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
backup-20080721-090312-501 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20080721-090313-798 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
backup-20080721-122126-236 O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
backup-20080721-122126-322 O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
backup-20080721-122126-954 O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,23
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 nvcap (nVidia WDM Video Capture (universal)) - c:\windows\system32\drivers\nvcap.sys

S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MotDev (Motorola Inc. USB Device) - c:\windows\system32\drivers\motodrv.sys <Not Verified; Motorola Inc; Motorola USB Composite Driver>
S3 MotoSwitchService (MotoSwitch Service) - c:\windows\system32\drivers\motswch.sys <Not Verified; Motorola INC.; Motorola Switching Filter Driver>
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 PSSdk23 - c:\windows\system32\drivers\pssdk23.drv (file missing)
S3 SIWIO - c:\windows\temp\siwio.sys (file missing)
S3 vgadrv - c:\windows\system32\drivers\vgadrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>
S4 MSSQL$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlservr.exe -ssony_mediamgr (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 SQLAgent$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlagent.exe -i sony_mediamgr (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Service:

Class GUID:
Description:
Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 1892)
2007-07-24 16:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\explorer.exe (pid 1764)
2008-03-30 10:36:40 43008 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll <Not Verified; Apple Inc.; iTunes>
2008-03-30 10:36:40 129536 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll <Not Verified; Apple Inc.; iTunes>
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-03 20:23:44 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Scheduled Tasks -------------------------------------------------------------

2008-07-25 10:00:01 342 --a------ C:\WINDOWS\Tasks\Scan for Viruses.job
2008-07-19 13:24:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-24 18:21:58 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-19 12:24:12 0 d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-07-19 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 12:23:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 22:22:18 0 dr-h----- C:\Documents and Settings\Chris\Recent
2008-07-13 02:27:13 0 d--h---c- C:\$AVG8.VAULT$
2008-07-13 02:10:56 0 d-------- C:\Program Files\AIM6
2008-07-13 02:01:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 02:01:20 0 d-------- C:\Program Files\AVG
2008-07-13 02:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 08:10:30 0 d-------- C:\WINDOWS\Prefetch
2008-07-12 07:57:14 0 d-------- C:\WINDOWS\system32\scripting
2008-07-12 07:57:12 0 d-------- C:\WINDOWS\l2schemas
2008-07-12 07:57:10 0 d-------- C:\WINDOWS\system32\en
2008-07-11 23:35:15 0 d-------- C:\Program Files\QuickTime
2008-07-09 16:21:38 49152 --a------ C:\WINDOWS\nswatchdog.exe
2008-07-09 00:16:51 0 d-------- C:\WINDOWS\.silabclient_store_32
2008-07-08 23:26:33 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-07 19:33:04 0 d-------- C:\Program Files\TouchStoneSoftware
2008-07-07 16:30:40 0 d------c- C:\Fraps
2008-07-03 10:00:39 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-07-01 10:59:13 0 d-------- C:\WINDOWS\nvidia icons
2008-07-01 10:52:48 0 d-------- C:\Documents and Settings\Chris\Application Data\SystemRequirementsLab
2008-07-01 06:47:25 23 --a------ C:\Documents and Settings\Chris\jagex_runescape_preferences.dat
2008-06-30 04:44:41 0 d------c- C:\PacSteamM
2008-06-28 15:08:19 0 d-------- C:\Documents and Settings\Chris\Application Data\DesktopSMS


-- Find3M Report ---------------------------------------------------------------

2008-07-24 23:27:37 0 d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-07-21 14:32:45 0 d-------- C:\Program Files\Java
2008-07-17 13:05:30 0 d-------- C:\Documents and Settings\Chris\Application Data\LimeWire
2008-07-13 17:05:41 0 d-------- C:\Program Files\SwiftKit
2008-07-13 02:13:51 0 d-------- C:\Program Files\Viewpoint
2008-07-13 01:48:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-13 01:47:23 0 d-------- C:\Program Files\Common Files
2008-07-13 01:47:05 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-12 07:57:51 0 d-------- C:\Program Files\Messenger
2008-07-12 07:57:09 0 d-------- C:\Program Files\Movie Maker
2008-07-12 07:49:53 0 d-------- C:\Program Files\Windows NT
2008-07-08 23:28:08 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-01 10:53:39 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-30 15:37:17 0 d-------- C:\Program Files\StepMania
2008-06-26 23:28:29 0 d-------- C:\Documents and Settings\Chris\Application Data\Sony
2008-06-25 22:18:18 0 d-------- C:\Program Files\MSECache
2008-06-25 22:00:22 0 d-------- C:\Program Files\DivX
2008-06-25 17:53:00 0 d-------- C:\Documents and Settings\Chris\Application Data\Adobe
2008-06-22 08:31:25 0 d-------- C:\Program Files\Common Files\Thraex Software
2008-06-17 14:41:46 0 d-------- C:\Documents and Settings\Chris\Application Data\Mozilla
2008-06-16 18:04:26 2539 --a------ C:\WINDOWS\mozver.dat
2008-06-16 00:53:01 0 d-------- C:\Program Files\Sony
2008-06-16 00:50:38 0 d-------- C:\Program Files\Sony Setup
2008-06-15 20:30:54 86932 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-15 20:29:00 0 d-------- C:\Program Files\Picasa2
2008-06-14 18:03:16 0 d-------- C:\Program Files\AIM
2008-05-30 15:02:10 0 d-------- C:\Program Files\Apple Software Update
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost


-- End of Deckard's System Scanner: finished at 2008-07-26 09:03:48 ------------












Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 510.98 MiB / 153.62 MiB
Pagefile Memory (total/avail): 1246.93 MiB / 834.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1875.67 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 19.24 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;%CLASSPATH%;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RALPH-NCDXW43SG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LANG=C
LOGONSERVER=\\RALPH-NCDXW43SG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Java\jdk1.6.0_01\bin;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Java\jre\bin;C:\Documents and Settings\Chris\My Documents\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=RALPH-NCDXW43SG
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mom
Dad
Chris (admin)
Ralph
Game Room
Jan (admin)
Administrator.RALPH-NCDXW43SG (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type21758 / Error
Event Submitted/Written: 07/26/2008 09:00:59 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type21757 / Error
Event Submitted/Written: 07/26/2008 09:00:59 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type21756 / Error
Event Submitted/Written: 07/26/2008 09:00:59 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type21754 / Error
Event Submitted/Written: 07/26/2008 08:23:12 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type21717 / Warning
Event Submitted/Written: 07/26/2008 08:22:51 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4030 / Error
Event Submitted/Written: 07/26/2008 08:24:37 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type4015 / Error
Event Submitted/Written: 07/25/2008 05:13:55 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type4008 / Error
Event Submitted/Written: 07/25/2008 05:09:48 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Event Record #/Type4006 / Error
Event Submitted/Written: 07/25/2008 05:09:39 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Event Record #/Type4004 / Error
Event Submitted/Written: 07/25/2008 05:09:27 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.



-- End of Deckard's System Scanner: finished at 2008-07-26 09:03:48 ------------

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 26 July 2008 - 04:28 PM

Could you please copy and paste the Kasperskey log also. Thanks.

#7 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 29 July 2008 - 04:20 AM

here it is, sorry was very busy.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 06:51:25
Records in database: 1020654
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 116156
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:42:11


File name / Threat name / Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\RECYCLER\S-1-5-21-1229272821-1993962763-682003330-1010\Dc3\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\Resources\Themes\LSPatch\LSPatch.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 1

The selected area was scanned.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 29 July 2008 - 06:32 AM

Hi again,


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent and Limewire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Removal Instructions
  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either AVG8 or CA Antivirus. Since you seem to have CA antivirus with firewall it might be better to uninstall AVG8.

  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now.
    Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:
    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • I see on your log that PermissionResearch was installed on your computer:

    backup-20080717-122600-548 O4 - HKLM\..\Run: [PermissionResearch] c:\program files\permissionresearch\prmrsr.exe -boot

    This program is known to be related to adware/spyware. More information here: http://research.sunbelt
    To uninstall it:
    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If it exist, uninstall the following by clicking on the following entries and selecting "remove":

    PermissionResearch

    Also remove the folder in bold: C:\Program Files\PermissionResearch

    Additional instructions can be found here if needed.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net

    Optional: The following sites are set to the safe zone. It means that the traffic created by these sites won't be checked by security checkpoints any more. While these site are safe to visit they might not be safe all the time and their traffic better pass through the security checkpoint. If you decided to remove these sites from the trusted zone check the boxes next to the following entries:

    O15 - Trusted Zone: http://www.download.com
    O15 - Trusted Zone: http://uploadhosted.filefront.com
    O15 - Trusted Zone: http://toolbar.imageshack.us



    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • We need to repair the file associations:
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /daft

    • Click OK.
    • Click OK to the prompt from Deckard's System Scanner.
    • Click Scan.
    • Place a tick next to the following entries (if they are present):
      .bat
      .cpl
      .hlp
      .inf
      .ini
      .reg
      .scr
      .txt
    • Click Fix
  • Go to Start > Run and type in Notepad
    Copy/paste the following text inside the code box into a new notepad (not wordpad) document. Make sure that under Format menu Word Wrap is unchecked.

    regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig" 
    notepad %systemdrive%\regkey.txt 
    del /q %systemdrive%\regkey.txt
    • Go to the File menu at the top of the Notepad and Save as.
    • Select save in: desktop
    • Fill in File name: msconfig.bat
    • save as type: All file types (*.*)
    • click save and close the notepad.
    • double-click msconfig.bat on the desktop. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.
  • Please make a program list with Hijackthis:
    • Open HijackThis and click Open the Misc Tools section.
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.
    More information with a screenshot, can be found here.

  • The DSS log is not complete. Please make a DSS scan again by using this method:
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /config

    • Close all other open windows.
    • Click OK.
    • A window will now open. Click Check All and then click Scan!.
    • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.

To your reply:
  • The Program list made by HJT.
  • The regkey.txt.
  • Fresh DSS logs.


#9 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 29 July 2008 - 11:55 AM

oh wow, i never new i had 2 anti virus O.O,

oh and when i make the msconfig.bat and try to open it on my desktop, it opens for like half a second and then closes itself.
and when i type "%userprofile%\desktop\dss.exe" /daft in the run as, it wont work, i had to type "C:\Documents and Settings\All Users\Documents\Desktop\Dss.exe" /daft to make it work. and other then that everything went good.

heres the logs you asked for:

uninistall_list.txt
µTorrent
3dsmax ancillary install
ABBYY FineReader 5.0 Sprint Plus
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player 11
AIM 6
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
CCScore
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Counter-Strike(TM)
Counter-Strike: Source
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
Dell AIO Printer A960
Dell Digital Jukebox Driver
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dual-Band Wireless A+G Notebook Adapter
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
ffdshow [rev 1723] [2007-12-24]
FLV Player 2.0, build 23
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Video Player
GPL MPEG-1/2 DirectShow Decoder Filter
HijackThis 2.0.2
HLPIndex
HLPRFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
HyperCam 2
Intel(R) PRO Network Adapters and Drivers
iPod for Windows 2005-09-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_08
Java(TM) 6 Update 2
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6
Java(TM) SE Development Kit 6 Update 1
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LimeWire PRO 4.18.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft GIF Animator
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (SQLEXPRESS)
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 6-9 Converter
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Musicmatch® Jukebox
Notifier
NVIDIA Drivers
NVIDIA WDM Drivers
OTtBPSDK
PacSteamM
PacSteamT
PCDADDIN
PCDHELP
Picasa 2
PlayLinc
Print to Fax
Pure Networks Port Magic
QuickTime
RealPlayer
Rhapsody Player Engine
RTC Client API v1.2
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SFR
SHASTA
SKIN0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony Media Manager 2.2
Sony MP3 Conversion Tool
Sony Picture Utility
Sony USB Driver
Sony Vegas Pro 8.0
Sound Blaster Live!
SoundMAX
Steam
Steam(TM)
StepMania (remove only)
SwiftKit
System Requirements Lab
Update for Windows XP (KB951978)
VeohTV BETA
Verizon FiOS Activation
Verizon Servicepoint 1.3.21
Verizon Yahoo! Applications
Verizon Yahoo! Login
VPRINTOL
Windows Imaging Component
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinZip
WIRELESS
WordPerfect Office 12
Zune Desktop Theme









-couldnt get the regkey.txt-
















main.txt
Deckard's System Scanner v20071014.68
Run by Chris on 2008-07-29 09:41:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
74: 2008-07-29 16:41:53 UTC - RP908 - Deckard's System Scanner Restore Point
73: 2008-07-29 02:57:28 UTC - RP907 - System Checkpoint
72: 2008-07-27 16:37:35 UTC - RP906 - Macromedia Authorware Web Player Installation
71: 2008-07-27 16:36:42 UTC - RP905 - Shockwave Player
70: 2008-07-26 15:59:13 UTC - RP904 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-06-09 02:39:29 UTC - RP835 - Installed Microsoft Visual C++ 2005 Redistributable


Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:22 AM, on 7/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\Desktop\Dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7659 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080114-110309-256 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-122056-909 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-273 O4 - HKCU\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080114-183911-587 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-878 O4 - HKLM\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080317-212900-112 O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
backup-20080317-212900-726 O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
backup-20080317-212900-892 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080517-001546-953 O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
backup-20080615-200346-796 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080630-082539-823 O4 - HKLM\..\Run: [CardBoardFish-DesktopSender] C:\Documents and Settings\Chris\Desktop\Desktop SMS Sender\DesktopSMS.exe /systemtray
backup-20080708-231908-647 O4 - HKLM\..\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe
backup-20080708-231908-760 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080708-231908-867 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080709-162539-631 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-084248-568 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-095950-179 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-095951-431 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-122600-548 O4 - HKLM\..\Run: [PermissionResearch] c:\program files\permissionresearch\prmrsr.exe -boot
backup-20080717-122600-777 O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/p.../pr/prsetup.cab
backup-20080717-122603-660 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
backup-20080717-122604-641 O20 - Winlogon Notify: PermissionResearch - C:\Program Files\PermissionResearch\prls.dll
backup-20080717-122604-819 O20 - AppInit_DLLs: avgrsstx.dll,c:\program files\permissionresearch\prai.dll
backup-20080717-123050-769 O20 - AppInit_DLLs: c:\program files\permissionresearch\prai.dll
backup-20080717-131724-979 O4 - HKLM\..\Run: [lphc790j0e9a7] C:\WINDOWS\system32\lphc790j0e9a7.exe
backup-20080721-090306-327 O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
backup-20080721-090306-412 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080721-090306-547 O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
backup-20080721-090306-597 O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
backup-20080721-090306-627 O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
backup-20080721-090312-501 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20080721-090313-798 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
backup-20080721-122126-236 O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
backup-20080721-122126-322 O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
backup-20080721-122126-954 O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
backup-20080729-092648-589 O15 - Trusted Zone: http://uploadhosted.filefront.com
backup-20080729-092648-643 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
backup-20080729-092648-685 O15 - Trusted Zone: http://www.download.com
backup-20080729-092648-984 O15 - Trusted Zone: http://toolbar.imageshack.us

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 nvcap (nVidia WDM Video Capture (universal)) - c:\windows\system32\drivers\nvcap.sys

S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MotDev (Motorola Inc. USB Device) - c:\windows\system32\drivers\motodrv.sys <Not Verified; Motorola Inc; Motorola USB Composite Driver>
S3 MotoSwitchService (MotoSwitch Service) - c:\windows\system32\drivers\motswch.sys <Not Verified; Motorola INC.; Motorola Switching Filter Driver>
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 PSSdk23 - c:\windows\system32\drivers\pssdk23.drv (file missing)
S3 SIWIO - c:\windows\temp\siwio.sys (file missing)
S3 vgadrv - c:\windows\system32\drivers\vgadrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>
S4 MSSQL$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlservr.exe -ssony_mediamgr (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 SQLAgent$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlagent.exe -i sony_mediamgr (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Service:

Class GUID:
Description:
Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 932)
2007-07-24 16:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\explorer.exe (pid 1536)
2008-07-10 10:51:34 43008 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll <Not Verified; Apple Inc.; iTunes>
2008-07-10 10:51:34 129536 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll <Not Verified; Apple Inc.; iTunes>
2004-11-19 10:54:26 77824 --a------ C:\Program Files\Common Files\aolshare\aolshcpy.dll <Not Verified; America Online Inc.; aolshcpy Module>
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-03 20:23:44 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Scheduled Tasks -------------------------------------------------------------

2008-07-26 13:23:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-25 10:00:01 342 --a------ C:\WINDOWS\Tasks\Scan for Viruses.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 09:31:08 167 --a------ C:\WINDOWS\system32\msconfig.bat
2008-07-26 18:16:15 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-07-26 13:35:57 0 d-------- C:\Program Files\iTunes
2008-07-24 18:21:58 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-19 12:24:12 0 d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-07-19 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 12:23:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 22:22:18 0 dr-h----- C:\Documents and Settings\Chris\Recent
2008-07-13 02:27:13 0 d--h---c- C:\$AVG8.VAULT$
2008-07-13 02:10:56 0 d-------- C:\Program Files\AIM6
2008-07-13 02:01:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 02:01:20 0 d-------- C:\Program Files\AVG
2008-07-13 02:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 08:10:30 0 d-------- C:\WINDOWS\Prefetch
2008-07-12 07:57:14 0 d-------- C:\WINDOWS\system32\scripting
2008-07-12 07:57:12 0 d-------- C:\WINDOWS\l2schemas
2008-07-12 07:57:10 0 d-------- C:\WINDOWS\system32\en
2008-07-11 23:35:15 0 d-------- C:\Program Files\QuickTime
2008-07-09 16:21:38 49152 --a------ C:\WINDOWS\nswatchdog.exe
2008-07-08 23:26:33 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-07 19:33:04 0 d-------- C:\Program Files\TouchStoneSoftware
2008-07-07 16:30:40 0 d------c- C:\Fraps
2008-07-03 10:00:39 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-07-01 10:59:13 0 d-------- C:\WINDOWS\nvidia icons
2008-07-01 10:52:48 0 d-------- C:\Documents and Settings\Chris\Application Data\SystemRequirementsLab
2008-07-01 06:47:25 23 --a------ C:\Documents and Settings\Chris\jagex_runescape_preferences.dat
2008-06-30 04:44:41 0 d------c- C:\PacSteamM


-- Find3M Report ---------------------------------------------------------------

2008-07-27 13:41:05 0 d-------- C:\Documents and Settings\Chris\Application Data\LimeWire
2008-07-26 13:36:25 0 d-------- C:\Program Files\iPod
2008-07-26 13:27:33 0 d-------- C:\Program Files\Java
2008-07-24 23:27:37 0 d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-07-13 17:05:41 0 d-------- C:\Program Files\SwiftKit
2008-07-13 01:48:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-13 01:47:23 0 d-------- C:\Program Files\Common Files
2008-07-13 01:47:05 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-12 07:57:51 0 d-------- C:\Program Files\Messenger
2008-07-12 07:57:09 0 d-------- C:\Program Files\Movie Maker
2008-07-12 07:49:53 0 d-------- C:\Program Files\Windows NT
2008-07-08 23:28:08 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-01 10:53:39 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-30 15:37:17 0 d-------- C:\Program Files\StepMania
2008-06-28 15:08:20 0 d-------- C:\Documents and Settings\Chris\Application Data\DesktopSMS
2008-06-26 23:28:29 0 d-------- C:\Documents and Settings\Chris\Application Data\Sony
2008-06-25 22:18:18 0 d-------- C:\Program Files\MSECache
2008-06-25 22:00:22 0 d-------- C:\Program Files\DivX
2008-06-25 17:53:00 0 d-------- C:\Documents and Settings\Chris\Application Data\Adobe
2008-06-22 08:31:25 0 d-------- C:\Program Files\Common Files\Thraex Software
2008-06-17 14:41:46 0 d-------- C:\Documents and Settings\Chris\Application Data\Mozilla
2008-06-16 18:04:26 2539 --a------ C:\WINDOWS\mozver.dat
2008-06-16 00:53:01 0 d-------- C:\Program Files\Sony
2008-06-16 00:50:38 0 d-------- C:\Program Files\Sony Setup
2008-06-15 20:30:54 86932 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-15 20:29:00 0 d-------- C:\Program Files\Picasa2
2008-06-14 18:03:16 0 d-------- C:\Program Files\AIM
2008-05-30 15:02:10 0 d-------- C:\Program Files\Apple Software Update
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost


-- End of Deckard's System Scanner: finished at 2008-07-29 09:45:34 ------------














extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 510.98 MiB / 134.71 MiB
Pagefile Memory (total/avail): 1246.93 MiB / 794.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1882.62 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 19.12 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;%CLASSPATH%;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RALPH-NCDXW43SG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LANG=C
LOGONSERVER=\\RALPH-NCDXW43SG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Java\jdk1.6.0_01\bin;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Java\jre\bin;C:\Documents and Settings\Chris\My Documents\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=RALPH-NCDXW43SG
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mom
Dad
Chris (admin)
Ralph
Game Room
Jan (admin)
Administrator.RALPH-NCDXW43SG (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type21973 / Error
Event Submitted/Written: 07/28/2008 01:30:22 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type21938 / Warning
Event Submitted/Written: 07/28/2008 01:29:52 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type21935 / Error
Event Submitted/Written: 07/28/2008 00:39:56 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application runescape.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type21934 / Error
Event Submitted/Written: 07/28/2008 00:39:55 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application runescape.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type21927 / Error
Event Submitted/Written: 07/27/2008 11:45:00 PM
Event ID/Source: 17204 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf for file number 2. OS error: 32(The process cannot access the file because it is being used by another process.).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4139 / Warning
Event Submitted/Written: 07/28/2008 03:09:29 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type4138 / Warning
Event Submitted/Written: 07/28/2008 07:47:35 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4126 / Error
Event Submitted/Written: 07/28/2008 01:31:28 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type4109 / Error
Event Submitted/Written: 07/27/2008 11:46:08 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The SQL Server (SQLEXPRESS) service terminated with service-specific error 1814 (0x716).

Event Record #/Type4108 / Error
Event Submitted/Written: 07/27/2008 11:46:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-29 09:45:34 ------------

Edited by iSayChris, 29 July 2008 - 11:59 AM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 30 July 2008 - 12:39 AM

Hi again,


Thanks for the feedback.

It is important you have logged in with your own account (Chris) with administrative privileges.
  • You have the latest version of Java and it is good. Please remove the older versions due to security vulnerabilities:
    Click "start" and then "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    All Java items except for Java™ 6 Update 7

    Additional instructions can be found here if needed.

  • Please remove the file in bold (that is the file we have made before) by using Windows explorer:

    C:\WINDOWS\system32\msconfig.bat

  • If you can not find the following file make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe

    Please copy and paste the results of the scan in your next post.

  • Go to Start > Run and type in Notepad
    Copy/paste the following text inside the code box into a new notepad (not wordpad) document. Make sure that under Format menu Word Wrap is unchecked.

    regedit /e regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig" 
    notepad regkey.txt
    • Go to the File menu at the top of the Notepad and Save as.
    • Select save in: desktop
    • Fill in File name: msconfig.bat
    • save as type: All file types (*.*)
    • click save and close the notepad.
    • double-click msconfig.bat on the desktop. When notepad opens, copy/paste the content in your reply. A copy of the file (regkey.txt) should be made on your desktop.
  • From the screenshot you made from AVG 8 finding we can't read the whole line. Please copy and paste the AVG 8 log to your reply. It should be located under History tab.

  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.

  • The DSS log is not complete yet. We try it once more in this way:
    • The current dss.exe version is not on your desktop . It is located here on all users's desktop : C:\Documents and Settings\All Users\Documents\Desktop\Dss.exe. Please remove it from there.
    • Make sure you have logged in with your own account (Chris). Then download Deckard's System Scanner (DSS) and save it to your Desktop.
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /config

    • Close all other open windows.
    • Click OK.
    • A window will now open. Click Check All and then click Scan!.
    • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
To your reply:
  • The scan result of virustotal.
  • The regkey.txt.
  • The log of AVG 8.
  • The scan result of F-Secure.
  • Fresh DSS logs.


#11 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 30 July 2008 - 03:02 AM

oh and ill post the f-secure log tommarow morning. gonna leave scan on while i sleep.


umm, when i click on msconfig.exe from the desktop it did the same thing..
soo, i went to run as and typed
regedit /e regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
then typed notepad regkey.txt, and the log came up, it worked! soo heres the stuff you asked for




Virustotal
MD5: 0bdec31d2a20a02d17302e97dd74a585
First received: 11.30.2007 05:21:25 (CET)
Date: 07.30.2008 09:34:54 (CET) [<1D]
Results: 5/35
Permalink: http://www.virustotal.com/analisis/276ac93...bf97b61c8687db9


Regkey.txt
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"KodakCCS"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe"
"backup"="C:\\WINDOWS\\pss\\svchost.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe"
"item"="svchost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
"path"="C:\\Documents and Settings\\Chris\\Start Menu\\Programs\\Startup\\Cyber-shot Viewer Media Check Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\Cyber-shot Viewer Media Check Tool.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Sony\\SONYPI~1\\VOLUME~1\\SPUVOL~1.EXE "
"item"="Cyber-shot Viewer Media Check Tool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AppleSyncNotifier]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AppleSyncNotifier"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleSyncNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\au]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DealioAU"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dealio\\DealioAU.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG8_TRAY]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgtray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\Chris\\My Documents\\Programs\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CaAvTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CAVRID]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVRID"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dell AIO Printer A960]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbfbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell AIO Printer A960\\dlbfbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\diagent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="diagent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dxfbidea]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="myuolpts"
"hkey"="HKLM"
"command"="C:\\myuolpts.bat"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FlashGet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FlashGet"
"hkey"="HKLM"
"command"="\"C:\\Documents and Settings\\Chris\\My Documents\\Programs\\FlashGet.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Download Accelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ida"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Chris\\My Documents\\Internet Accelerators\\IDA\\ida.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="mllml"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\mllml.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Lozdodge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LDG_Manager"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Chris\\My Documents\\Programs\\Lozdodge\\LDG_Manager.exe HIDE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Chris\\Application Data\\MySpace\\IM\\bin\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\P2kAutostart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QTTask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RelevantKnowledge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rlvknlg"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\rlvknlg.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SDTrayApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ida"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Chris\\My Documents\\Internet Accelerators\\IDA\\ida.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpeedOptimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SPO"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\Jan\\MYDOCU~1\\SPEEDO~1\\SPO.EXE -s "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Veoh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VeohClient"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe\" /VeohHide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WPC55AG.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WPC55AG"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dual-Band Wireless A+G Notebook Adapter\\WPC55AG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ymetray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMusicEngine"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000002
"bootini"=dword:00000002
"services"=dword:00000002
"startup"=dword:00000002








AVG8
Posted Image










Main.txt

Deckard's System Scanner v20071014.68
Run by Chris on 2008-07-30 00:45:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
78: 2008-07-30 07:45:59 UTC - RP912 - Deckard's System Scanner Restore Point
77: 2008-07-30 07:30:26 UTC - RP911 - Removed Java™ SE Development Kit 6
76: 2008-07-30 07:29:19 UTC - RP910 - Removed Java™ 6 Update 6
75: 2008-07-30 07:27:54 UTC - RP909 - Removed Java™ 6 Update 2
74: 2008-07-29 16:41:53 UTC - RP908 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-06-09 02:39:29 UTC - RP835 - Installed Microsoft Visual C++ 2005 Redistributable


Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Chris.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:27 AM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Chris\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7777 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080114-110309-256 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-122056-909 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-273 O4 - HKCU\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080114-183911-587 F3 - REG:win.ini: load=C:\WINDOWS\system32\mllml.exe
backup-20080114-183911-878 O4 - HKLM\..\Run: [gs34w] c:\program files\gs34wxdcn-hplar\csrss .exe
backup-20080317-212900-112 O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
backup-20080317-212900-726 O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
backup-20080317-212900-892 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080517-001546-953 O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
backup-20080615-200346-796 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080630-082539-823 O4 - HKLM\..\Run: [CardBoardFish-DesktopSender] C:\Documents and Settings\Chris\Desktop\Desktop SMS Sender\DesktopSMS.exe /systemtray
backup-20080708-231908-647 O4 - HKLM\..\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe
backup-20080708-231908-760 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080708-231908-867 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080709-162539-631 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-084248-568 O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
backup-20080717-095950-179 O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-095951-431 O3 - Toolbar: ShopAtHome Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
backup-20080717-122600-548 O4 - HKLM\..\Run: [PermissionResearch] c:\program files\permissionresearch\prmrsr.exe -boot
backup-20080717-122600-777 O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/p.../pr/prsetup.cab
backup-20080717-122603-660 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
backup-20080717-122604-641 O20 - Winlogon Notify: PermissionResearch - C:\Program Files\PermissionResearch\prls.dll
backup-20080717-122604-819 O20 - AppInit_DLLs: avgrsstx.dll,c:\program files\permissionresearch\prai.dll
backup-20080717-123050-769 O20 - AppInit_DLLs: c:\program files\permissionresearch\prai.dll
backup-20080717-131724-979 O4 - HKLM\..\Run: [lphc790j0e9a7] C:\WINDOWS\system32\lphc790j0e9a7.exe
backup-20080721-090306-327 O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
backup-20080721-090306-412 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080721-090306-547 O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
backup-20080721-090306-597 O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
backup-20080721-090306-627 O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
backup-20080721-090312-501 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
backup-20080721-090313-798 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
backup-20080721-122126-236 O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
backup-20080721-122126-322 O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
backup-20080721-122126-954 O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
backup-20080729-092648-589 O15 - Trusted Zone: http://uploadhosted.filefront.com
backup-20080729-092648-643 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
backup-20080729-092648-685 O15 - Trusted Zone: http://www.download.com
backup-20080729-092648-984 O15 - Trusted Zone: http://toolbar.imageshack.us

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 nvcap (nVidia WDM Video Capture (universal)) - c:\windows\system32\drivers\nvcap.sys

S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MotDev (Motorola Inc. USB Device) - c:\windows\system32\drivers\motodrv.sys <Not Verified; Motorola Inc; Motorola USB Composite Driver>
S3 MotoSwitchService (MotoSwitch Service) - c:\windows\system32\drivers\motswch.sys <Not Verified; Motorola INC.; Motorola Switching Filter Driver>
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 PSSdk23 - c:\windows\system32\drivers\pssdk23.drv (file missing)
S3 SIWIO - c:\windows\temp\siwio.sys (file missing)
S3 vgadrv - c:\windows\system32\drivers\vgadrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>
S4 MSSQL$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlservr.exe -ssony_mediamgr (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 SQLAgent$SONY_MEDIAMGR - c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlagent.exe -i sony_mediamgr (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVTVSND\5&26B1A5ED&0&CA000005&01&00
Service:

Class GUID:
Description:
Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NVXBAR\5&26B1A5ED&0&CA000003&01&00
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 932)
2007-07-24 16:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\explorer.exe (pid 1536)
2008-07-10 10:51:34 43008 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll <Not Verified; Apple Inc.; iTunes>
2008-07-10 10:51:34 129536 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll <Not Verified; Apple Inc.; iTunes>
2004-11-19 10:54:26 77824 --a------ C:\Program Files\Common Files\aolshare\aolshcpy.dll <Not Verified; America Online Inc.; aolshcpy Module>
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-03 20:23:44 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Scheduled Tasks -------------------------------------------------------------

2008-07-26 13:23:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-25 10:00:01 342 --a------ C:\WINDOWS\Tasks\Scan for Viruses.job


-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-26 18:16:15 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-07-26 13:35:57 0 d-------- C:\Program Files\iTunes
2008-07-24 18:21:58 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-19 12:24:12 0 d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-07-19 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 12:23:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-14 22:22:18 0 dr-h----- C:\Documents and Settings\Chris\Recent
2008-07-13 02:27:13 0 d--h---c- C:\$AVG8.VAULT$
2008-07-13 02:10:56 0 d-------- C:\Program Files\AIM6
2008-07-13 02:01:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-13 02:01:20 0 d-------- C:\Program Files\AVG
2008-07-13 02:01:19 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-12 08:10:30 0 d-------- C:\WINDOWS\Prefetch
2008-07-12 07:57:14 0 d-------- C:\WINDOWS\system32\scripting
2008-07-12 07:57:12 0 d-------- C:\WINDOWS\l2schemas
2008-07-12 07:57:10 0 d-------- C:\WINDOWS\system32\en
2008-07-11 23:35:15 0 d-------- C:\Program Files\QuickTime
2008-07-09 16:21:38 49152 --a------ C:\WINDOWS\nswatchdog.exe
2008-07-08 23:26:33 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-07 19:33:04 0 d-------- C:\Program Files\TouchStoneSoftware
2008-07-07 16:30:40 0 d------c- C:\Fraps
2008-07-03 10:00:39 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-07-01 10:59:13 0 d-------- C:\WINDOWS\nvidia icons
2008-07-01 10:52:48 0 d-------- C:\Documents and Settings\Chris\Application Data\SystemRequirementsLab
2008-07-01 06:47:25 23 --a------ C:\Documents and Settings\Chris\jagex_runescape_preferences.dat
2008-06-30 04:44:41 0 d------c- C:\PacSteamM


-- Find3M Report ---------------------------------------------------------------

2008-07-30 00:29:27 0 d-------- C:\Program Files\Java
2008-07-27 13:41:05 0 d-------- C:\Documents and Settings\Chris\Application Data\LimeWire
2008-07-26 13:36:25 0 d-------- C:\Program Files\iPod
2008-07-24 23:27:37 0 d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-07-13 17:05:41 0 d-------- C:\Program Files\SwiftKit
2008-07-13 01:48:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-13 01:47:23 0 d-------- C:\Program Files\Common Files
2008-07-13 01:47:05 0 d-------- C:\Program Files\Common Files\aolshare
2008-07-12 07:57:51 0 d-------- C:\Program Files\Messenger
2008-07-12 07:57:09 0 d-------- C:\Program Files\Movie Maker
2008-07-12 07:49:53 0 d-------- C:\Program Files\Windows NT
2008-07-08 23:28:08 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-01 10:53:39 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-30 15:37:17 0 d-------- C:\Program Files\StepMania
2008-06-28 15:08:20 0 d-------- C:\Documents and Settings\Chris\Application Data\DesktopSMS
2008-06-26 23:28:29 0 d-------- C:\Documents and Settings\Chris\Application Data\Sony
2008-06-25 22:18:18 0 d-------- C:\Program Files\MSECache
2008-06-25 22:00:22 0 d-------- C:\Program Files\DivX
2008-06-25 17:53:00 0 d-------- C:\Documents and Settings\Chris\Application Data\Adobe
2008-06-22 08:31:25 0 d-------- C:\Program Files\Common Files\Thraex Software
2008-06-17 14:41:46 0 d-------- C:\Documents and Settings\Chris\Application Data\Mozilla
2008-06-16 18:04:26 2539 --a------ C:\WINDOWS\mozver.dat
2008-06-16 00:53:01 0 d-------- C:\Program Files\Sony
2008-06-16 00:50:38 0 d-------- C:\Program Files\Sony Setup
2008-06-15 20:30:54 86932 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-15 20:29:00 0 d-------- C:\Program Files\Picasa2
2008-06-14 18:03:16 0 d-------- C:\Program Files\AIM
2008-05-30 15:02:10 0 d-------- C:\Program Files\Apple Software Update
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost


-- End of Deckard's System Scanner: finished at 2008-07-30 00:49:31 ------------













Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 510.98 MiB / 84.34 MiB
Pagefile Memory (total/avail): 1246.93 MiB / 784.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1871.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 18.93 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Chris\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;.;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Java\jdk1.6.0_01\bin;%CLASSPATH%;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RALPH-NCDXW43SG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chris
LANG=C
LOGONSERVER=\\RALPH-NCDXW43SG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Java\jdk1.6.0_01\bin;C:\Program Files\Java\jre1.6.0_07\bin;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Java\jre\bin;C:\Documents and Settings\Chris\My Documents\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
TMP=C:\DOCUME~1\Chris\LOCALS~1\Temp
USERDOMAIN=RALPH-NCDXW43SG
USERNAME=Chris
USERPROFILE=C:\Documents and Settings\Chris
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mom
Dad
Chris (admin)
Ralph
Game Room
Jan (admin)
Administrator.RALPH-NCDXW43SG (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type21973 / Error
Event Submitted/Written: 07/28/2008 01:30:22 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type21938 / Warning
Event Submitted/Written: 07/28/2008 01:29:52 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type21935 / Error
Event Submitted/Written: 07/28/2008 00:39:56 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application runescape.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type21934 / Error
Event Submitted/Written: 07/28/2008 00:39:55 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application runescape.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type21927 / Error
Event Submitted/Written: 07/27/2008 11:45:00 PM
Event ID/Source: 17204 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf for file number 2. OS error: 32(The process cannot access the file because it is being used by another process.).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4139 / Warning
Event Submitted/Written: 07/28/2008 03:09:29 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type4138 / Warning
Event Submitted/Written: 07/28/2008 07:47:35 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4126 / Error
Event Submitted/Written: 07/28/2008 01:31:28 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type4109 / Error
Event Submitted/Written: 07/27/2008 11:46:08 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The SQL Server (SQLEXPRESS) service terminated with service-specific error 1814 (0x716).

Event Record #/Type4108 / Error
Event Submitted/Written: 07/27/2008 11:46:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-30 00:49:31 ------------

Edited by iSayChris, 30 July 2008 - 03:30 AM.


#12 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 30 July 2008 - 03:02 AM

F-secure report
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<html>
<font style="COLOR: black; FONT: 10pt verdana">
<head>
<title>F-Secure Online Scanner 3.3.1 - Scanning Report - Wednesday, July 30, 2008 10:33:52</title>
</head>

<body>
<h1><font face="Arial">Scanning Report</font></h1>
<h2><font face="Arial">Wednesday, July 30, 2008 01:32:47 - 10:33:49</font></h2>
<p>
Computer name: RALPH-NCDXW43SG
<br>Scanning type: Scan system for malware, rootkits
<br>Target: C:\
</p>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Result: 1 malware found</font></h2>
<a href="http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Tracking Cookie&orig='disk'" target="_blank"><nobr>Tracking Cookie</nobr></a> (spyware)
<ul>
<li>
System
</ul>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Statistics</font></h2>
Scanned:<ul>
<li>Files: 63628
<li>System: 5411
<li>Not scanned: 368
</ul>
Actions:<ul>
<li>Disinfected: 0
<li>Renamed: 0
<li>Deleted: 0
<li>None: 1
<li>Submitted: 0
</ul>
Files not scanned:<ul>
ŕoxŘi>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\01[1].JS
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1018347508_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1051073603@TOP1[1]
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1070701098_M[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1079684759_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1087577169_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1147634200_POKE-02[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1168037522[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1191132257_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1196088647@TOP1[1]
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1202793189_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1205565468_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\120X600CM_DESIGN_DEC6[2].SWF
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\120X600CM_DESIGN_DEC6[3].SWF
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\120X600CM_DESIGN_DEC6[4].SWF
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1229_DOGHOOP[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1230_SKYDIVE[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1242215539_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1264199319_M[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\130838459_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1316540338_M[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1316540338_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1318884114_M[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1326661715_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1333626769_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\28X0I2FS\1334478562_S[1].JPG
<li>C:\DOCUMENTS AND SETTINGS\RALPH\LOCAL SETTINGS\TEMPORARY INTERNS\ÝĹ m </ul>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Options</font></h2>
Scanning engines:<ul>
<li>F-Secure USS: 2.30.0
<li>F-Secure Hydra: 2.8.8110, 2008-07-30
<li>F-Secure AVP: 7.0.171, 2008-07-30
<li>F-Secure Pegasus: 1.20.0, 2008-04-14
<li>F-Secure Blacklight: 1.0.68

</ul>
Scanning options:<ul>
<li>Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
<li>
Use Advanced heuristics
</ul>
<hr noshade>
<ul><h6>Copyright &copy; 1998-2007 <a href="http://support.f-secure.com/">Product support</a> |<a href="http://support.f-secure.com/enu/home/virusproblem/sample/">Send virus sample to F-Secure</a></h6><h6>F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.</h6></ul>
</body>
</font>
</html>

Edited by iSayChris, 30 July 2008 - 12:34 PM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 30 July 2008 - 05:46 AM

Hi,

The screenshot is better than before but I'm not sure if that is all we can get. Could you check it you can find a scan log of AVG under History menu. I'm not sure about AVG but usually if you double click the log and click on View Scan log you get a log file which can be saved or copied and pasted.

#14 iSayChris

iSayChris
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:07:21 PM

Posted 30 July 2008 - 12:41 PM

i dont know if this is it:

"Scan ""Scan whole computer"" was finished."
"Infections found:";"0"
"Infected objects removed or healed:";"0"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"1"
"Information count:";"0"
"Scan started:";"Friday, July 25, 2008, 5:19:49 PM"
"Scan finished:";"Friday, July 25, 2008, 5:24:18 PM (4 minute(s) 29 second(s))"
"Total object scanned:";"618706"
"User who launched the scan:";"Chris"

"Warnings"
"File";"Infection";"Result"
"HKU\S-1-5-21-1229272821-1993962763-682003330-1007\Software\Softactivity";"Found Adware.ActivityLogger";"Healed"

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:21 AM

Posted 30 July 2008 - 03:09 PM

Hi,

Good job. We might be almost there.

Yes AVG log is the one we were looking for. It is a registry item related to a keylogger. The log says it is removed. Tell me if you have run AVG again after last Friday to see if the registry item is gone, tell me also if you have tried to run AVG in Safe Mode and let the item removed from there.
  • The Virus total supports Kasperskey and the file indeed belongs to adware search it, see also this: http://www.bleepingcomputer.com
    You may remove the folder in bold:

    C:\Program Files\Common Files\aolback\Comps\toolbar

  • I saw from your log you have disabled some startup items by using System Configuration Utility. I know many people use and advise use of System Configuration Utility to disable startup items. But the utility is designed to use for diagnostic purposes. There are good free software to use for this purpose.

    The log we made shows that you have disabled a malware startup items. The item does no harm at the moment but in case you or somebody els again enabled the item the malware might become active again. So we have to make sure this is not going to happen.
    • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
      How to see hidden files in Windows
    • Using Windows explorer delete the files in bold (if present):

      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
      C:\WINDOWS\pss\svchost.exe
    Note: svchost.exe located at C:\Windows\System32\svchost.exe is a legit Windows file and should not be removed.

  • Go to Start > Run
    • In the run box type: msconfig to open up System Configuration Utility.
    • Click on startup tab.
    • Find svchost
    • Uncheck the box next to it.
    • Press Apply and Close .
    • A Windows pops up select "Exit Without Reboot".
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - Startup: svchost.exe

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix


    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a report for you (C:\ComboFix.txt). Please copy and paste the report for further review.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



    To your reply:
    • The Combofix log.
    • A fresh hijackthis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users