Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Good Advice...?


  • This topic is locked This topic is locked
12 replies to this topic

#1 twistah

twistah

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 19 July 2008 - 02:24 AM


In this thread:

http://www.bleepingcomputer.com/forums/t/105212/infected-with-winfixervirtumonde-trojandropper-trojanadclicker/

i read the advice about downloading a tool called SmitfraudFix.exe from the url http://siri.urz.free.fr/Fix/SmitfraudFix.exe
to help in diagnosing a problem. However, every anti-virus program I have report this as a backdoor.

Users of bleepingcomputer.com, beware!

Scanned on http://virusscan.jotti.org/
Report say (for instance) "BackDoor.IRC.Chazz.38, Tool.Prockill, Tool.ShutDown.11"



Please ingore. My bad. Report was based on a false positive. Read below.

Edited by twistah, 19 July 2008 - 12:24 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 19 July 2008 - 10:17 AM

Hello twistah

Welcome to Bleeping Computer
========================

If we are here to help why would we put a backdoor on your computer.
I can assure you that it is not what the antivirus programs say it is.
That is what you call a false positive.


The antivirus vendors don't know whether a file is good or bad.
Because it is a self written tool it uses processes not known to Antivirus companies and they commonly flag most components of any tools we use here for this same reason.

Here is the warning commonly given in the download speech for smitfraudfix.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please do not bash any tools here, we freely help people with these tools we are here to do no harm but good.
Please do more research before speaking negativley about the community.

Now that that is clear do you have a malware issue?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 twistah

twistah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 19 July 2008 - 12:20 PM

I stand corrected. I just jumped when the tool adviced in removing malware indeed showed up as malware itself. This community is not known to me so I was unable to determine anyones motives. If I have offended anyone, I apologize.

If you still want to help me, yes I have some kind of malware (or at least thats what avast! keep telleing me).

Symptoms:
1. Avast! keep warning me about a "virus found".
2. The virus resides in the same directory everytime: C:\DOCUME~1\<user>\LOCALS~1\Temp\
3. Name: Win32:Trojan-gen {Other}
4. Filename appears to be randomized. Last found filename: fcUlcq5N.exe

DSS log:
Run by Paal on 2008-07-19 19 _linenums:7'>Deckard's System Scanner v20071014.68Run by Paal on 2008-07-19 19:07:09Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-07-19 17:07:14 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.System Drive C: has 26.35 GiB (less than 15%) free.-- HijackThis (run as Paal.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:08:20, on 19.07.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Creative\Shared Files\CTSched.exeC:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\WgaTray.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\notepad.exeC:\Documents and Settings\Paal\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Paal.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Update Helper - {A4CC8907-3EA6-49EE-8B74-D09660120910} - C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logonO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -pO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195243094781"]http://www.update.microsoft.com/windowsupd...b?1195243094781[/url]O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab"]http://www.creative.com/softwareupdate/su2...15035/CTPID.cab[/url]O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Update Service (gupdate1c8e200e1157e7e) (gupdate1c8e200e1157e7e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 6979 bytes-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------backup-20080717-214603-919 O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountbackup-20080717-214615-615 O1 - Hosts: 127.255.255.255 serial.alcohol-soft.combackup-20080717-214652-947 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)backup-20080717-215116-933 O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>S3 GMSIPCI - h:\install\gmsipci.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 Bonjour Service (Bonjour-tjeneste) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>R2 CTAudSvcService (Creative Audio Service) - c:\program files\creative\shared files\ctaudsvc.exe <Not Verified; Creative Technology Ltd; Creative Audio Service>S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>S4 Kwari.xLoader - c:\documents and settings\paal\local settings\application data\micro forte\kwari\kwari.xloader.32 (file missing)S4 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exeS4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>S4 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2008-07-18 10:39:24       292 --a------ C:\WINDOWS\Tasks\GoogleUpdateTask.job2008-07-16 14:44:01       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job-- Files created between 2008-06-19 and 2008-07-19 -----------------------------2008-07-18 22:14:43         0 d-------- C:\Documents and Settings\Paal\DoctorWeb2008-07-17 22:23:17         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-07-17 22:23:11         0 d-------- C:\Program Files\SUPERAntiSpyware2008-07-17 22:23:11         0 d-------- C:\Documents and Settings\Paal\Application Data\SUPERAntiSpyware.com2008-07-17 22:19:50      3164 --a------ C:\WINDOWS\system32\tmp.reg2008-07-17 22:07:51         0 d-------- C:\Documents and Settings\All Users\Application Data\Lucasarts2008-07-17 21:40:15         0 d-------- C:\WINDOWS\CSC2008-07-17 21:38:14         0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Templates2008-07-17 21:37:22         0 dr------- C:\Documents and Settings\Administrator\Start Menu2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\SendTo2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Recent2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\PrintHood2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\NetHood2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\My Documents2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Local Settings2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Favorites2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Desktop2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Cookies2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\Application Data2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft2008-07-17 21:37:21    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT2008-07-16 18:03:15         0 d-------- C:\Program Files\Common Files\Symantec Shared2008-07-13 23:15:49         0 d-------- C:\Program Files\iPod2008-07-10 10:57:03         0 d--hs---- C:\found.0012008-07-09 22:42:45         0 d-------- C:\WINDOWS\system32\Adobe2008-07-03 18:42:22         0 d-------- C:\Program Files\Activision2008-07-03 18:41:00         0 d--hs---- C:\WINDOWS\ftpcache2008-06-19 21:18:28         0 d-------- C:\Documents and Settings\Paal\Application Data\teamspeak2-- Find3M Report ---------------------------------------------------------------2008-07-17 22:23:02         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-07-17 22:07:50         0 d--h----- C:\Program Files\InstallShield Installation Information2008-07-17 22:06:23         0 d-------- C:\Program Files\LucasArts2008-07-17 22:06:15         0 d-------- C:\Program Files\Common Files\InstallShield2008-07-16 20:05:31         0 d-------- C:\Program Files\Common Files2008-07-16 20:04:20         0 d-------- C:\Program Files\Funcom2008-07-16 16:02:37       600 --a------ C:\Documents and Settings\Paal\Application Data\winscp.rnd2008-07-16 12:15:01         0 d-------- C:\Documents and Settings\Paal\Application Data\OpenOffice.org22008-07-16 11:13:35         0 d-------- C:\Documents and Settings\Paal\Application Data\Vso2008-07-15 20:49:28         0 d-------- C:\Documents and Settings\Paal\Application Data\uTorrent2008-07-15 18:17:30         0 d-------- C:\Program Files\uTorrent2008-07-13 23:16:05         0 d-------- C:\Program Files\iTunes2008-07-13 23:15:05         0 d-------- C:\Program Files\Bonjour2008-07-13 23:14:37         0 d-------- C:\Program Files\QuickTime2008-07-11 09:07:54       664 --a------ C:\WINDOWS\system32\d3d9caps.dat2008-07-09 23:00:15         0 d-------- C:\Documents and Settings\Paal\Application Data\Adobe2008-07-09 22:18:24         0 d-------- C:\Program Files\Google2008-07-09 19:14:12         0 d-------- C:\Program Files\Safari2008-07-06 15:26:28         0 d-------- C:\Documents and Settings\Paal\Application Data\SPORE Creature Creator2008-07-06 15:26:05        23 --a------ C:\WINDOWS\popcinfot.dat2008-07-06 15:23:22         0 d-------- C:\Program Files\Steam2008-06-29 23:57:12         0 d-------- C:\Program Files\Trillian2008-06-21 11:03:25         0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 52008-06-18 13:06:14         0 d-------- C:\Documents and Settings\Paal\Application Data\Publish Providers2008-06-18 09:39:35         0 d-------- C:\Program Files\Electronic Arts2008-06-12 21:10:05         0 d-------- C:\Program Files\VentriloMIX2008-06-12 17:57:42         0 d-------- C:\Documents and Settings\Paal\Application Data\Ventrilo2008-06-12 17:57:01         0 d-------- C:\Program Files\Ventrilo2008-06-11 14:49:55         0 d-------- C:\Program Files\Last.fm2008-06-11 14:27:46         0 d-------- C:\Program Files\DivX2008-06-10 06:46:03         0 d-------- C:\Documents and Settings\Paal\Application Data\U32008-06-05 00:33:48         0 d-------- C:\Documents and Settings\Paal\Application Data\Nitro PDF2008-05-31 01:22:48    802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>2008-05-23 00:22:18   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll2008-05-23 00:19:46    196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>2008-05-23 00:19:46     81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>2008-05-23 00:18:54     12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll2008-05-21 20:24:27         0 d-------- C:\Program Files\MSXML 4.02008-05-20 19:41:31         0 d-------- C:\Program Files\Podcast Station2008-05-02 22:46:00   1630208 --a------ C:\WINDOWS\system32\nwiz.exe2008-05-02 22:46:00   1019904 --a------ C:\WINDOWS\system32\nvwimg.dll2008-05-02 22:46:00   1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll2008-05-02 22:46:00    466944 --a------ C:\WINDOWS\system32\nvshell.dll2008-05-02 22:46:00   1486848 --a------ C:\WINDOWS\system32\nview.dll2008-05-02 22:46:00   1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe2008-05-02 22:46:00    442368 --a------ C:\WINDOWS\system32\nvappbar.exe2008-05-02 22:46:00    425984 --a------ C:\WINDOWS\system32\keystone.exe2008-04-22 19:55:29    413696 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>2008-04-22 19:55:29    110592 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(tm) Library>-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4CC8907-3EA6-49EE-8B74-D09660120910}]15.07.2008 08:42	184816	--a----t-	C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02.05.2008 22:46]"nwiz"="nwiz.exe" [02.05.2008 22:46 C:\WINDOWS\system32\nwiz.exe]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15.07.2005 23:48]"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [09.01.2006 04:43]"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [30.08.2007 06:32]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16.05.2008 01:19]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 04:25]"CTHelper"="CTHELPER.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\CtHelper.exe]"CTxfiHlp"="CTXFIHLP.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\Ctxfihlp.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02.05.2008 22:46]"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10.07.2008 09:47]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27.05.2008 10:50]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10.07.2008 10:51]"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [13.06.2008 23:19][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 14:00]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 12:48]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28.05.2008 10:33][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]"C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"StarWindServiceAE"=2 (0x2)"NMIndexingService"=3 (0x3)"MSDTC"=3 (0x3)"mnmsrvc"=3 (0x3)"Kwari.xLoader"=3 (0x3)"IISADMIN"=2 (0x2)"aawservice"=2 (0x2)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]AutoRun\command- J:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2780faf9-5bfb-11dc-be54-0019db226547}]AutoRun\command- K:\LaunchU3.exe -a[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0BD14114-724F-BE0A-0708-020600040106}]C:\WINDOWS\svchost.exe-- End of Deckard's System Scanner: finished at 2008-07-19 19:08:49 ------------


DSS Extra:
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture _linenums:0'>Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Professional (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: Intel® Core(tm)2 CPU 6600 @ 2.40GHzCPU 1: Intel® Core(tm)2 CPU 6600 @ 2.40GHzPercentage of Memory in Use: 23%Physical Memory (total/avail): 3070.41 MiB / 2354.15 MiBPagefile Memory (total/avail): 5152.95 MiB / 3037.11 MiBVirtual Memory (total/avail): 2047.88 MiB / 1929.21 MiBC: is Fixed (NTFS) - 372.6 GiB total, 26.35 GiB free. H: is CDROM (No Media)I: is CDROM (No Media)\\.\PHYSICALDRIVE0 - SAMSUNG HD403LJ - 372.61 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 372.6 GiB - C:-- Security Center -------------------------------------------------------------AUOptions is disabled.Windows Internal Firewall is enabled.FirstRunDisabled is set.AV: avast! antivirus 4.8.1201 [VPS 080719-0] v4.8.1201 (ALWIL Software)[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam Client""C:\\Documents and Settings\\Paal\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Paal\\Desktop\\utorrent.exe:*:Enabled:µTorrent""C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm""C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2""C:\\Program Files\\Steam\\steamapps\\xxxx@xxxxx.no\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\xxxxxx@xxxxxx.no\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher""C:\\Program Files\\Steam\\steamapps\\xxxx@xxxxx.no\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\xxxxxx@xxxxxx.no\\counter-strike source\\hl2.exe:*:Enabled:hl2""C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian""C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"="C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe:*:Enabled:lotroclient.exe""C:\\Program Files\\WoLoSoft\\SuperEdi\\SuperEdi.exe"="C:\\Program Files\\WoLoSoft\\SuperEdi\\SuperEdi.exe:*:Enabled:SuperEdi Text Editor""C:\\Program Files\\Crimson Editor\\cedt.exe"="C:\\Program Files\\Crimson Editor\\cedt.exe:*:Enabled:Crimson Editor""C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program""C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad""C:\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"="C:\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader""C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player""C:\\Documents and Settings\\Paal\\Application Data\\U3\\0000162B537010DF\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"="C:\\Documents and Settings\\Paal\\Application Data\\U3\\0000162B537010DF\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe:*:Enabled:Skype""C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox""C:\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe"="C:\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader""C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent""C:\\Program Files\\Steam\\steamapps\\common\\quake 3 team arena demo\\taquake3.exe"="C:\\Program Files\\Steam\\steamapps\\common\\quake 3 team arena demo\\taquake3.exe:*:Enabled:taquake3""C:\\Program Files\\baRenameX\\baRenameX.exe"="C:\\Program Files\\baRenameX\\baRenameX.exe:*:Enabled:baRenameX""C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)""C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare(tm)""C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour""C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Paal\Application DataCLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zipCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=CALVINComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\PaalLOGONSERVER=\\CALVINMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Paal\Application Data\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\;.PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0f06ProgramFiles=C:\Program FilesPROMPT=$P$GQTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zipSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\Paal\LOCALS~1\TempTMP=C:\DOCUME~1\Paal\LOCALS~1\TempUSERDOMAIN=CALVINUSERNAME=PaalUSERPROFILE=C:\Documents and Settings\Paalwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Paal (admin)ASPNETAdministrator (new local, admin)-- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf#1 DVD Ripper 6.2.4 --> C:\Program Files\No1 DVD Ripper\uninst.exeµTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALLAd-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}Add or Remove Adobe Creative Suite 3 Production Premium --> C:\Program Files\Common Files\Adobe\Installers\aefc483f26b23ab60cc5653016d5017\Setup.exeAdobe After Effects CS3 --> MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}Adobe After Effects CS3 Template Projects & Footage --> MsiExec.exe /I{73E81E9B-7319-43AD-B7CC-1C61405E5089}Adobe After Effects CS3 Third Party Content --> MsiExec.exe /I{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}Adobe Creative Suite 3 Production Premium --> MsiExec.exe /I{40F2BCF4-4EED-4AD4-BFB6-A58946C561A1}Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}Adobe Encore CS3 --> MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}Adobe Encore CS3 Codecs --> MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}Adobe Encore CS3 Library --> MsiExec.exe /I{F1D93F5B-881F-49E3-BA56-B4B8FA991059}Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}Adobe Glyphlet Creation Tool CS3 --> MsiExec.exe /I{243DA072-8E39-424A-86A3-F63152021383}Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}Adobe Photoshop Lightroom --> MsiExec.exe /I{359D2A79-64C6-4824-83CE-B053297DED6A}Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}Adobe Reader 8.1.0 - Norsk --> MsiExec.exe /I{AC76BA86-7AD7-1044-7B44-A81000000003}Adobe Setup --> MsiExec.exe /I{BA67E3E1-25EE-4481-857D-D3CA99DA71C8}Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.logAdobe Soundbooth CS3 --> MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}Adobe Soundbooth CS3 Codecs --> MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}Adobe Soundbooth CS3 Scores --> MsiExec.exe /I{92A300C0-E97B-48CC-9702-AB1AAED167E1}Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}Advanced LAN Scanner v1.0 BETA 1 --> C:\Program Files\Advanced LAN Scanner\uninstal.exeAge of Conan - Hyborian Adventures --> "C:\Program Files\Funcom\Age of Conan\unins000.exe"AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}Audacity 1.3.3 (Unicode) --> "C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"Audible Download Manager --> C:\Program Files\Audible\Bin\AudibleDM_iTunesSetup.exe /Uninstallavast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetupAXIS Media Control Embedded --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control Embedded\AxisMediaControlEmb.dll",UninstallMebaRenameX --> MsiExec.exe /I{7B250E25-DD1B-450B-8811-5E05C1805B60}Battlefield 2142 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonlyBonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}Call of Duty® 4 - Modern Warfare(tm) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\Setup.exe" -l0x9 anythingCarbonite --> C:\Program Files\Carbonite\Carbonite Backup\CarboniteSetup.exe /removeCounter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /removeCreative Live! Cam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 /removeCreative Live! Cam Vista IM Driver (1.01.03.1104) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0260.uns -unsext NT -plugin V0260Pin.dll -pluginres CtCamPin.crlCreative Live! Cam Vista IM User's Guide (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative Live! Cam Vista IM\Creative Live! Cam Vista IM User's Guide\English\CTManual.isu"Creative Software AutoUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /removeCreative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /removeCreative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /removeCrimson Editor (remove only) --> C:\Program Files\Crimson Editor\uninstall.exeDay of Defeat: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/300DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODECDivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTERDivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYERDivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGINDVDFab Platinum 4.0.3.2 Final Registered --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"EVE-ONLINE (remove only) --> C:\Program Files\CCP\EVE\Uninstall.exeFileZilla Client 3.0.7.1 --> C:\Program Files\FileZilla Client\uninstall.exeGhost Recon Advanced Warfighter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFC97089-04D6-42CE-A707-A343B4A7D2CD}\setup.exe" -l0x9 Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"Google Update --> MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220Half-Life: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/280HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstallHuman Head demo by NVIDIA (remove only) --> "C:\Program Files\NVIDIA Corporation\NVIDIA Demos\HumanHead\uninstall.exe"Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}J2SE Runtime Environment 5.0 Update 14 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150140}Java(tm) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}Java(tm) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}Last.fm 1.5.1.29527 --> "C:\Program Files\Last.fm\unins000.exe"LEGO Star Wars 2 DEMO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{150FEA49-4039-4458-B9D0-F19CC17229FE} /l1033 Lively by Google --> MsiExec.exe /X{DE78E060-9EE8-45B1-8C31-8BBA2B6CB01B}Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50) --> MsiExec.exe /X{2E5A5B57-57FC-4C79-A239-9DB280ADEC2A}Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}Mini Calculator --> C:\Program Files\MicroTools4U\Mini Calculator\Uninstal.exeMozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeMSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}Natural Color --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}\setup.exe" Nero 7 Essentials --> MsiExec.exe /X{BCB002B8-493D-4C3F-A968-774FC0881033}Notepad++ --> C:\Program Files\Notepad++\uninstall.exeNVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUIOblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonlyOpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}Paint.NET v3.08 --> MsiExec.exe /X{83B26E5D-1795-4DFE-9317-0FA0F3AAB568}PDF Settings --> MsiExec.exe /I{DC017035-1939-425F-8F86-63B462C76C6A}Peggle Extreme --> "C:\Program Files\Steam\steam.exe" steam://uninstall/3483Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"PlayNC Launcher --> C:\Program Files\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonlyPodcast Station 2.1 --> MsiExec.exe /I{EF857B8B-127D-4473-8936-2060EE3AD14C}Portal: The First Slice --> "C:\Program Files\Steam\steam.exe" steam://uninstall/410Påloggingsassistent for Windows Live --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}Quake 3 Team Arena Demo --> "C:\Program Files\Steam\steam.exe" steam://uninstall/9090QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}Richard Garriott's Tabula Rasa --> C:\Program Files\InstallShield Installation Information\{A67E64A9-F6E6-4156-A293-602A8189DC50}\Setup.exe -runfromtemp -l0x0009 -removeonlySafari --> MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}Sail Simulator 4.2i demo --> C:\PROGRA~1\Stentec\SAILSI~1.2DE\UNWISE.EXE C:\PROGRA~1\Stentec\SAILSI~1.2DE\INSTALL.LOGSIM editor 3.0 --> C:\Program Files\SIM editor\uninst.exeSins of a Solar Empire --> "C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSESins of a Solar Empire --> C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exeSnagIt 8 --> MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}Sony DVD Handycam USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F845B05-8B76-4302-A808-7FB21E2BC5E6}\Setup.exe" UNINSTALLSony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALLSony Vegas Pro 8.0 --> MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonlySteam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}TextEdit 2.1 --> "C:\Program Files\TextEdit\unins000.exe"Trillian --> C:\Program Files\Trillian\trillian.exe /uninstallVanDyke Software SecureCRT 5.2 --> C:\PROGRA~1\SECURE~1\UNINSTAL.EXE C:\PROGRA~1\SECURE~1\INSTALL.LOGVentrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}VentriloMIX --> C:\Program Files\VentriloMIX\Uninstal.exeVideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exeWinamp --> "C:\Program Files\Winamp\UninstWA.exe"Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"Windows Live Fotogalleri --> MsiExec.exe /X{F8A982AA-8114-4293-BE8E-0DC07D96134E}Windows Live installer --> MsiExec.exe /X{4218D9DC-282B-4596-BEA5-F20560C14400}Windows Live Messenger --> MsiExec.exe /X{D70A63D1-2F54-4713-8AE6-BBD28D1A62E6}Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exeWinSCP 4.0.6 --> "C:\Program Files\WinSCP\unins000.exe"XML Paper Specification Shared Components Pack 1.0 --> Zune Desktop Theme --> MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}-- Application Event Log -------------------------------------------------------Event Record #/Type11207 / ErrorEvent Submitted/Written: 07/11/2008 05:39:13 AMEvent ID/Source: 4691 / COM+Event Description:The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d01b)Event Record #/Type11193 / ErrorEvent Submitted/Written: 07/10/2008 03:46:46 PMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Event Record #/Type11192 / ErrorEvent Submitted/Written: 07/10/2008 03:46:18 PMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Event Record #/Type11191 / ErrorEvent Submitted/Written: 07/10/2008 03:45:56 PMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Event Record #/Type11190 / ErrorEvent Submitted/Written: 07/10/2008 03:45:35 PMEvent ID/Source: 1002 / Application HangEvent Description:Hanging application firefox.exe, version 1.9.0.3071, hang module hungapp, version 0.0.0.0, hang address 0x00000000.-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type20504 / ErrorEvent Submitted/Written: 07/19/2008 07:07:14 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service IISADMIN with arguments ""in order to run the server:{A9E69610-B80D-11D0-B9B9-00A0C922E750}Event Record #/Type20500 / ErrorEvent Submitted/Written: 07/19/2008 07:05:22 PMEvent ID/Source: 7901 / ScheduleEvent Description:The At20.job command failed to start due to the following error: %%2147942402Event Record #/Type20495 / WarningEvent Submitted/Written: 07/19/2008 02:54:21 PMEvent ID/Source: 4226 / TcpipEvent Description:TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.Event Record #/Type20494 / ErrorEvent Submitted/Written: 07/19/2008 02:49:42 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service IISADMIN with arguments ""in order to run the server:{A9E69610-B80D-11D0-B9B9-00A0C922E750}Event Record #/Type20493 / ErrorEvent Submitted/Written: 07/19/2008 02:49:24 PMEvent ID/Source: 10005 / DCOMEvent Description:DCOM got error "%%1058" attempting to start the service IISADMIN with arguments ""in order to run the server:{A9E69610-B80D-11D0-B9B9-00A0C922E750}-- End of Deckard's System Scanner: finished at 2008-07-19 19:08:49 ------------

Any help at this point would be much appriciated. Again, sorry for my rushed conclusions!

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 19 July 2008 - 02:46 PM

No problem.

Do this first :

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 twistah

twistah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 20 July 2008 - 01:17 AM

Cleaned and ran Kaspersky. However, during the night 25 IE ad popups have appeared. This is not happened before. I use Firefox 3 and was not running IE at all. (IE 6.0.2)

Kapersky report (found stuff that DrWeb quarantined also I think)
[codebox]--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 19, 2008 20:55:40
Records in database: 974257
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
H:\
I:\

Scan statistics:
Files scanned: 185120
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:47:28


File name / Threat name / Threats count
C:\Documents and Settings\Paal\DoctorWeb\Quarantine\DTPro4100215Free.exe Infected: Trojan-Downloader.Win32.Delf.asz 1
C:\Documents and Settings\Paal\DoctorWeb\Quarantine\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\hl80fPL5.exe Infected: Trojan-GameThief.Win32.OnLineGames.arxy 1

The selected area was scanned.
[/codebox]

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 20 July 2008 - 06:55 AM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\hl80fPL5.exe
    emptytemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=================================================
Post those logs and a new dss log then let me know if the problem has ceased.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 twistah

twistah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 20 July 2008 - 08:51 AM

C:\WINDOWS\system32\hl80fPL5.exe moved successfully.< emptytemp >File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\Perflib_Perfdata_174.dat scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\~DF6B1.tmp scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\hsperfdata_Paal\372 scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\Arj.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\avlib.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\Avp1.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\AvpMgr.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\CAB.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\dmap.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\dtreg.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FSSync.dll scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HashCont.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HashMD5.PPL scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HCCMP.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\ichk2.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\iChkSA.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\IWGen.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kave.dll scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kosglue-7.0.25.0.dll scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\lha.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\L_llio.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\mdb.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\minizip.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\MKavIO.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\msoe.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\nfio.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prKernel.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prLoader.dll scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\PrUtil.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\rar.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\ScanningProcess.exe scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\sfdb.PPL scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\TempFile.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\thpimpl.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\UniArc.ppl scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\WDiskIO.ppl scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_478.dat scheduled to be deleted on reboot.Temp folders emptied.IE temp folders emptied. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07202008_152843Files moved on Reboot...File move failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\Perflib_Perfdata_174.dat scheduled to be moved on reboot.File move failed. C:\DOCUME~1\Paal\LOCALS~1\Temp\~DF6B1.tmp scheduled to be moved on reboot.C:\DOCUME~1\Paal\LOCALS~1\Temp\hsperfdata_Paal\372 moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\Arj.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\avlib.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\Avp1.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\AvpMgr.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\CAB.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\dmap.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\dtreg.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FsDrvPlg.ppl moved successfully.DllUnregisterServer procedure not found in C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FSSync.dllC:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FSSync.dll NOT unregistered.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\FSSync.dll moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HashCont.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HashMD5.PPL moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\HCCMP.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\ichk2.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\iChkSA.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\IWGen.ppl moved successfully.DllUnregisterServer procedure not found in C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kave.dllC:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kave.dll NOT unregistered.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kave.dll moved successfully.DllUnregisterServer procedure not found in C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kosglue-7.0.25.0.dllC:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kosglue-7.0.25.0.dll NOT unregistered.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\kosglue-7.0.25.0.dll moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\lha.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\L_llio.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\mdb.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\minizip.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\MKavIO.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\msoe.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\nfio.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prKernel.ppl moved successfully.DllUnregisterServer procedure not found in C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prLoader.dllC:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prLoader.dll NOT unregistered.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\prLoader.dll moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\PrUtil.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\rar.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\ScanningProcess.exe moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\sfdb.PPL moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\TempFile.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\thpimpl.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\UniArc.ppl moved successfully.C:\DOCUME~1\Paal\LOCALS~1\Temp\jkos-Paal\binaries\WDiskIO.ppl moved successfully.File move failed. C:\WINDOWS\temp\Perflib_Perfdata_478.dat scheduled to be moved on reboot.

rebooted.

Database version _linenums:969'>Malwarebytes' Anti-Malware 1.21Database version: 969Windows 5.1.2600 Service Pack 215:46:25 20.07.2008mbam-log-7-20-2008 (15-46-25).txtScan type: Quick ScanObjects scanned: 47125Time elapsed: 5 minute(s), 15 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)

Run by Paal on 2008-07-20 15 _linenums:50'>Deckard's System Scanner v20071014.68Run by Paal on 2008-07-20 15:50:17Computer is in Normal Mode.--------------------------------------------------------------------------------System Drive C: has 26.68 GiB (less than 15%) free.-- HijackThis (run as Paal.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:50:18, on 20.07.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\Program Files\Creative\Shared Files\CTSched.exeC:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\WINDOWS\system32\WgaTray.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Paal\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Paal.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Update Helper - {A4CC8907-3EA6-49EE-8B74-D09660120910} - C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logonO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195243094781"]http://www.update.microsoft.com/windowsupd...b?1195243094781[/url]O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab"]http://www.creative.com/softwareupdate/su2...15035/CTPID.cab[/url]O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Update Service (gupdate1c8e200e1157e7e) (gupdate1c8e200e1157e7e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 7024 bytes-- Files created between 2008-06-20 and 2008-07-20 -----------------------------2008-07-20 15:38:54         0 d-------- C:\Documents and Settings\Paal\Application Data\Malwarebytes2008-07-20 15:38:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-07-20 15:38:51         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-07-20 08:20:44         0 d-------- C:\Program Files\Panda Security2008-07-20 01:24:13     20480 --a------ C:\WINDOWS\system32\dh80bLH5.dll2008-07-18 22:14:43         0 d-------- C:\Documents and Settings\Paal\DoctorWeb2008-07-17 22:23:17         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-07-17 22:23:11         0 d-------- C:\Program Files\SUPERAntiSpyware2008-07-17 22:23:11         0 d-------- C:\Documents and Settings\Paal\Application Data\SUPERAntiSpyware.com2008-07-17 22:19:50      3164 --a------ C:\WINDOWS\system32\tmp.reg2008-07-17 22:07:51         0 d-------- C:\Documents and Settings\All Users\Application Data\Lucasarts2008-07-17 21:40:15         0 d-------- C:\WINDOWS\CSC2008-07-17 21:38:14         0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Templates2008-07-17 21:37:22         0 dr------- C:\Documents and Settings\Administrator\Start Menu2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\SendTo2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Recent2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\PrintHood2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\NetHood2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\My Documents2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Local Settings2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Favorites2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Desktop2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Cookies2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\Application Data2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft2008-07-17 21:37:21    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT2008-07-16 18:03:15         0 d-------- C:\Program Files\Common Files\Symantec Shared2008-07-13 23:15:49         0 d-------- C:\Program Files\iPod2008-07-10 10:57:03         0 d--hs---- C:\found.0012008-07-09 22:42:45         0 d-------- C:\WINDOWS\system32\Adobe2008-07-03 18:42:22         0 d-------- C:\Program Files\Activision2008-07-03 18:41:00         0 d--hs---- C:\WINDOWS\ftpcache-- Find3M Report ---------------------------------------------------------------2008-07-17 22:23:02         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-07-17 22:07:50         0 d--h----- C:\Program Files\InstallShield Installation Information2008-07-17 22:06:23         0 d-------- C:\Program Files\LucasArts2008-07-17 22:06:15         0 d-------- C:\Program Files\Common Files\InstallShield2008-07-16 20:05:31         0 d-------- C:\Program Files\Common Files2008-07-16 20:04:20         0 d-------- C:\Program Files\Funcom2008-07-16 16:02:37       600 --a------ C:\Documents and Settings\Paal\Application Data\winscp.rnd2008-07-16 12:15:01         0 d-------- C:\Documents and Settings\Paal\Application Data\OpenOffice.org22008-07-16 11:13:35         0 d-------- C:\Documents and Settings\Paal\Application Data\Vso2008-07-15 20:49:28         0 d-------- C:\Documents and Settings\Paal\Application Data\uTorrent2008-07-15 18:17:30         0 d-------- C:\Program Files\uTorrent2008-07-13 23:16:05         0 d-------- C:\Program Files\iTunes2008-07-13 23:15:05         0 d-------- C:\Program Files\Bonjour2008-07-13 23:14:37         0 d-------- C:\Program Files\QuickTime2008-07-11 09:07:54       664 --a------ C:\WINDOWS\system32\d3d9caps.dat2008-07-09 23:00:15         0 d-------- C:\Documents and Settings\Paal\Application Data\Adobe2008-07-09 22:18:24         0 d-------- C:\Program Files\Google2008-07-09 19:14:12         0 d-------- C:\Program Files\Safari2008-07-06 15:26:28         0 d-------- C:\Documents and Settings\Paal\Application Data\SPORE Creature Creator2008-07-06 15:26:05        23 --a------ C:\WINDOWS\popcinfot.dat2008-07-06 15:23:22         0 d-------- C:\Program Files\Steam2008-06-29 23:57:12         0 d-------- C:\Program Files\Trillian2008-06-21 11:03:25         0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 52008-06-19 21:18:30         0 d-------- C:\Documents and Settings\Paal\Application Data\teamspeak22008-06-18 13:06:14         0 d-------- C:\Documents and Settings\Paal\Application Data\Publish Providers2008-06-18 09:39:35         0 d-------- C:\Program Files\Electronic Arts2008-06-12 21:10:05         0 d-------- C:\Program Files\VentriloMIX2008-06-12 17:57:42         0 d-------- C:\Documents and Settings\Paal\Application Data\Ventrilo2008-06-12 17:57:01         0 d-------- C:\Program Files\Ventrilo2008-06-11 14:49:55         0 d-------- C:\Program Files\Last.fm2008-06-11 14:27:46         0 d-------- C:\Program Files\DivX2008-06-10 06:46:03         0 d-------- C:\Documents and Settings\Paal\Application Data\U32008-06-05 00:33:48         0 d-------- C:\Documents and Settings\Paal\Application Data\Nitro PDF2008-05-31 01:22:48    802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>2008-05-23 00:22:18   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll2008-05-23 00:19:46    196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>2008-05-23 00:19:46     81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>2008-05-23 00:18:54     12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll2008-05-21 20:24:27         0 d-------- C:\Program Files\MSXML 4.02008-05-20 19:41:31         0 d-------- C:\Program Files\Podcast Station2008-05-02 22:46:00   1630208 --a------ C:\WINDOWS\system32\nwiz.exe2008-05-02 22:46:00   1019904 --a------ C:\WINDOWS\system32\nvwimg.dll2008-05-02 22:46:00   1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll2008-05-02 22:46:00    466944 --a------ C:\WINDOWS\system32\nvshell.dll2008-05-02 22:46:00   1486848 --a------ C:\WINDOWS\system32\nview.dll2008-05-02 22:46:00   1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe2008-05-02 22:46:00    442368 --a------ C:\WINDOWS\system32\nvappbar.exe2008-05-02 22:46:00    425984 --a------ C:\WINDOWS\system32\keystone.exe2008-04-22 19:55:29    413696 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>2008-04-22 19:55:29    110592 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(tm) Library>-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4CC8907-3EA6-49EE-8B74-D09660120910}]15.07.2008 08:42	184816	--a----t-	C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02.05.2008 22:46]"nwiz"="nwiz.exe" [02.05.2008 22:46 C:\WINDOWS\system32\nwiz.exe]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15.07.2005 23:48]"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [09.01.2006 04:43]"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [30.08.2007 06:32]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16.05.2008 01:19]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 04:25]"CTHelper"="CTHELPER.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\CtHelper.exe]"CTxfiHlp"="CTXFIHLP.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\Ctxfihlp.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02.05.2008 22:46]"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10.07.2008 09:47]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27.05.2008 10:50]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10.07.2008 10:51]"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [13.06.2008 23:19][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 14:00]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 12:48]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28.05.2008 10:33][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824]"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\dh80bLH5.dll [20.07.2008 01:24 20480][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]"C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"StarWindServiceAE"=2 (0x2)"NMIndexingService"=3 (0x3)"MSDTC"=3 (0x3)"mnmsrvc"=3 (0x3)"Kwari.xLoader"=3 (0x3)"IISADMIN"=2 (0x2)"aawservice"=2 (0x2)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]AutoRun\command- J:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2780faf9-5bfb-11dc-be54-0019db226547}]AutoRun\command- K:\LaunchU3.exe -a*Newly Created Service* - MBAMSWISSARMY*Newly Created Service* - PAVBOOT[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0BD14114-724F-BE0A-0708-020600040106}]C:\WINDOWS\svchost.exe-- End of Deckard's System Scanner: finished at 2008-07-20 15:50:35 ------------


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 20 July 2008 - 08:58 AM

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\dh80bLH5.dll 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0BD14114-724F-BE0A-0708-020600040106}
    C:\WINDOWS\svchost.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2780faf9-5bfb-11dc-be54-0019db226547}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=============
Then please post that log and a new dss log and let me klnow if all is normal again?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 twistah

twistah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 20 July 2008 - 01:00 PM

Thanks !!

Move log:
C:\WINDOWS\system32\dh80bLH5.dll unregistered successfully.C:\WINDOWS\system32\dh80bLH5.dll moved successfully.< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E} >Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks not found.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}\ not found.< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0BD14114-724F-BE0A-0708-020600040106} >Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0BD14114-724F-BE0A-0708-020600040106}\\ deleted successfully.File/Folder C:\WINDOWS\svchost.exe not found.< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2780faf9-5bfb-11dc-be54-0019db226547} >Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2780faf9-5bfb-11dc-be54-0019db226547}\\ deleted successfully.< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J >Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J\\ deleted successfully. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07202008_195452


DSS Log:
Run by Paal on 2008-07-20 19 _linenums:57'>Deckard's System Scanner v20071014.68Run by Paal on 2008-07-20 19:57:28Computer is in Normal Mode.--------------------------------------------------------------------------------System Drive C: has 26.68 GiB (less than 15%) free.-- HijackThis (run as Paal.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:57:29, on 20.07.2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Google\Gmail Notifier\gnotify.exeC:\Program Files\Creative\Shared Files\CTSched.exeC:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\DAEMON Tools\daemon.exeC:\WINDOWS\system32\WgaTray.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Paal\Desktop\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\Paal.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Update Helper - {A4CC8907-3EA6-49EE-8B74-D09660120910} - C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logonO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195243094781"]http://www.update.microsoft.com/windowsupd...b?1195243094781[/url]O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab"]http://www.creative.com/softwareupdate/su2...15035/CTPID.cab[/url]O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Update Service (gupdate1c8e200e1157e7e) (gupdate1c8e200e1157e7e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 7024 bytes-- Files created between 2008-06-20 and 2008-07-20 -----------------------------2008-07-20 15:38:54         0 d-------- C:\Documents and Settings\Paal\Application Data\Malwarebytes2008-07-20 15:38:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-07-20 15:38:51         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-07-20 08:20:44         0 d-------- C:\Program Files\Panda Security2008-07-18 22:14:43         0 d-------- C:\Documents and Settings\Paal\DoctorWeb2008-07-17 22:23:17         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com2008-07-17 22:23:11         0 d-------- C:\Program Files\SUPERAntiSpyware2008-07-17 22:23:11         0 d-------- C:\Documents and Settings\Paal\Application Data\SUPERAntiSpyware.com2008-07-17 22:19:50      3164 --a------ C:\WINDOWS\system32\tmp.reg2008-07-17 22:07:51         0 d-------- C:\Documents and Settings\All Users\Application Data\Lucasarts2008-07-17 21:40:15         0 d-------- C:\WINDOWS\CSC2008-07-17 21:38:14         0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Templates2008-07-17 21:37:22         0 dr------- C:\Documents and Settings\Administrator\Start Menu2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\SendTo2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Recent2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\PrintHood2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\NetHood2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\My Documents2008-07-17 21:37:22         0 d--h----- C:\Documents and Settings\Administrator\Local Settings2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Favorites2008-07-17 21:37:22         0 d-------- C:\Documents and Settings\Administrator\Desktop2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Cookies2008-07-17 21:37:22         0 dr-h----- C:\Documents and Settings\Administrator\Application Data2008-07-17 21:37:22         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft2008-07-17 21:37:21    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT2008-07-16 18:03:15         0 d-------- C:\Program Files\Common Files\Symantec Shared2008-07-13 23:15:49         0 d-------- C:\Program Files\iPod2008-07-10 10:57:03         0 d--hs---- C:\found.0012008-07-09 22:42:45         0 d-------- C:\WINDOWS\system32\Adobe2008-07-03 18:42:22         0 d-------- C:\Program Files\Activision2008-07-03 18:41:00         0 d--hs---- C:\WINDOWS\ftpcache-- Find3M Report ---------------------------------------------------------------2008-07-17 22:23:02         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-07-17 22:07:50         0 d--h----- C:\Program Files\InstallShield Installation Information2008-07-17 22:06:23         0 d-------- C:\Program Files\LucasArts2008-07-17 22:06:15         0 d-------- C:\Program Files\Common Files\InstallShield2008-07-16 20:05:31         0 d-------- C:\Program Files\Common Files2008-07-16 20:04:20         0 d-------- C:\Program Files\Funcom2008-07-16 16:02:37       600 --a------ C:\Documents and Settings\Paal\Application Data\winscp.rnd2008-07-16 12:15:01         0 d-------- C:\Documents and Settings\Paal\Application Data\OpenOffice.org22008-07-16 11:13:35         0 d-------- C:\Documents and Settings\Paal\Application Data\Vso2008-07-15 20:49:28         0 d-------- C:\Documents and Settings\Paal\Application Data\uTorrent2008-07-15 18:17:30         0 d-------- C:\Program Files\uTorrent2008-07-13 23:16:05         0 d-------- C:\Program Files\iTunes2008-07-13 23:15:05         0 d-------- C:\Program Files\Bonjour2008-07-13 23:14:37         0 d-------- C:\Program Files\QuickTime2008-07-11 09:07:54       664 --a------ C:\WINDOWS\system32\d3d9caps.dat2008-07-09 23:00:15         0 d-------- C:\Documents and Settings\Paal\Application Data\Adobe2008-07-09 22:18:24         0 d-------- C:\Program Files\Google2008-07-09 19:14:12         0 d-------- C:\Program Files\Safari2008-07-06 15:26:28         0 d-------- C:\Documents and Settings\Paal\Application Data\SPORE Creature Creator2008-07-06 15:26:05        23 --a------ C:\WINDOWS\popcinfot.dat2008-07-06 15:23:22         0 d-------- C:\Program Files\Steam2008-06-29 23:57:12         0 d-------- C:\Program Files\Trillian2008-06-21 11:03:25         0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 52008-06-19 21:18:30         0 d-------- C:\Documents and Settings\Paal\Application Data\teamspeak22008-06-18 13:06:14         0 d-------- C:\Documents and Settings\Paal\Application Data\Publish Providers2008-06-18 09:39:35         0 d-------- C:\Program Files\Electronic Arts2008-06-12 21:10:05         0 d-------- C:\Program Files\VentriloMIX2008-06-12 17:57:42         0 d-------- C:\Documents and Settings\Paal\Application Data\Ventrilo2008-06-12 17:57:01         0 d-------- C:\Program Files\Ventrilo2008-06-11 14:49:55         0 d-------- C:\Program Files\Last.fm2008-06-11 14:27:46         0 d-------- C:\Program Files\DivX2008-06-10 06:46:03         0 d-------- C:\Documents and Settings\Paal\Application Data\U32008-06-05 00:33:48         0 d-------- C:\Documents and Settings\Paal\Application Data\Nitro PDF2008-05-31 01:22:48    802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:48    823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>2008-05-31 01:22:46    683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>2008-05-23 00:22:18   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll2008-05-23 00:19:46    196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>2008-05-23 00:19:46     81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>2008-05-23 00:18:54     12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll2008-05-21 20:24:27         0 d-------- C:\Program Files\MSXML 4.02008-05-20 19:41:31         0 d-------- C:\Program Files\Podcast Station2008-05-02 22:46:00   1630208 --a------ C:\WINDOWS\system32\nwiz.exe2008-05-02 22:46:00   1019904 --a------ C:\WINDOWS\system32\nvwimg.dll2008-05-02 22:46:00   1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll2008-05-02 22:46:00    466944 --a------ C:\WINDOWS\system32\nvshell.dll2008-05-02 22:46:00   1486848 --a------ C:\WINDOWS\system32\nview.dll2008-05-02 22:46:00   1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe2008-05-02 22:46:00    442368 --a------ C:\WINDOWS\system32\nvappbar.exe2008-05-02 22:46:00    425984 --a------ C:\WINDOWS\system32\keystone.exe2008-04-22 19:55:29    413696 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>2008-04-22 19:55:29    110592 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(tm) Library>-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4CC8907-3EA6-49EE-8B74-D09660120910}]15.07.2008 08:42	184816	--a----t-	C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02.05.2008 22:46]"nwiz"="nwiz.exe" [02.05.2008 22:46 C:\WINDOWS\system32\nwiz.exe]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15.07.2005 23:48]"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [09.01.2006 04:43]"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe" [30.08.2007 06:32]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16.05.2008 01:19]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 04:25]"CTHelper"="CTHELPER.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\CtHelper.exe]"CTxfiHlp"="CTXFIHLP.EXE" [20.02.2008 20:58 C:\WINDOWS\system32\Ctxfihlp.exe]"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02.05.2008 22:46]"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10.07.2008 09:47]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27.05.2008 10:50]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10.07.2008 10:51]"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [13.06.2008 23:19][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 14:00]"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 12:48]"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28.05.2008 10:33][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]"C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"StarWindServiceAE"=2 (0x2)"NMIndexingService"=3 (0x3)"MSDTC"=3 (0x3)"mnmsrvc"=3 (0x3)"Kwari.xLoader"=3 (0x3)"IISADMIN"=2 (0x2)"aawservice"=2 (0x2)*Newly Created Service* - PAVBOOT-- End of Deckard's System Scanner: finished at 2008-07-20 19:57:45 ------------

I'll check throughout the evening if the problem disappears. The ad-popups seem quite random.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 20 July 2008 - 02:48 PM

Everything looks good on this end let me know if it keeps happening.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 twistah

twistah
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 24 July 2008 - 01:52 PM

All seems good here too now!

Thanks very much.

Could you share what you think was the malware in question?

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 24 July 2008 - 05:53 PM

Yes it appeared that you had a small assortment of malware one being trojan Delf and some other random malware.
All is gone now and no worries :)
=======================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:55 AM

Posted 27 July 2008 - 08:04 AM

You are welcome :thumbsup:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users