Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Warning


  • This topic is locked This topic is locked
13 replies to this topic

#1 ms3

ms3

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 03 August 2008 - 06:47 PM

I have a 14 year old son who has allowed his computer to become infected with something. The desktop screen was blue with the message "warning spyware detected on your computer install an antivirus ...." etc. I was also seeing random internet pages pop up. The McAffee program popped up saying that it had removed trojan generic.dx and vundo while I was working on it. The virus message was on the computer for about 2 weeks, I did not have time to work on it before today (I know I should have turned it off) After following all of the instructions on your preparation guide, the desktop message is gone and I haven't had any unasked for web pages open. The desktop is still blue. Would you please check to see if there is residual nastiness?
Thank you.

Deckard's System Scanner v20071014.68
Run by Serio on 2008-08-03 16:29:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-08-03 23:29:55 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-08-03 21:15:10 UTC - RP8 - Installed Java™ 6 Update 7
7: 2008-08-03 21:05:44 UTC - RP7 - Removed Java™ 6 Update 2
6: 2008-07-29 21:51:52 UTC - RP6 - System Checkpoint
5: 2008-07-28 19:41:49 UTC - RP5 - System Checkpoint


-- First Restore Point --
1: 2008-07-20 03:24:05 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-03 16:31:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Serio\Desktop\dss.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070817
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {228D5C50-60FC-4916-8534-6DE01477B21F} - C:\WINDOWS\system32\vtUkjJBr.dll
O2 - BHO: (no name) - {313907D9-4A98-43BD-BDD6-020BC0B5FB0C} - C:\WINDOWS\system32\awtqoMgH.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {3c3bcc8b-713e-3eea-9154-0a1ef4336957} - {7596334f-e1a0-4519-aee3-e317b8ccb3c3} - C:\WINDOWS\system32\vbaaxc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {86286B2C-1E39-4E6D-AFA9-5E2BC49AE1A5} - (no file)
O2 - BHO: (no name) - {A8D99CE4-F912-4A31-A5B2-76AFEFE2CB9C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [f464c81d] rundll32.exe "C:\WINDOWS\system32\agwoxokd.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Batco\bat.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Serio\Local Settings\Temp\{044511C8-60B2-4A80-AB4A-07B0FFFB1333}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204518448187
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - AppInit_DLLs: vbaaxc.dll
O20 - Winlogon Notify: awtqoMgH - C:\WINDOWS\system32\awtqoMgH.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: - http://91.121.132.199/gifs/79.gifO24 - Desktop Component 1: - http://91.121.71.200/gifs/790.gif

--
End of file - 12237 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-15 01:00:00 366 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-07-01 01:00:00 368 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 14:11:39 0 d-------- C:\Documents and Settings\Serio\.SunDownloadManager
2008-08-03 14:06:03 0 d-------- C:\WINDOWS\system32\appmgmt
2008-08-03 13:21:14 98688 --a------ C:\WINDOWS\system32\agwoxokd.dll
2008-08-03 13:19:31 130432 --a------ C:\WINDOWS\system32\vbaaxc.dll
2008-08-03 13:19:30 130432 --a------ C:\WINDOWS\system32\dsbnmxus.dll
2008-07-29 10:08:56 120448 --a------ C:\WINDOWS\system32\rgswar.dll
2008-07-29 10:08:55 120448 --a------ C:\WINDOWS\system32\ruqtspel.dll
2008-07-28 10:06:06 120960 --a------ C:\WINDOWS\system32\fwzqfh.dll
2008-07-28 10:06:06 120960 --a------ C:\WINDOWS\system32\bcwvuitu.dll
2008-07-27 10:08:58 116352 --a------ C:\WINDOWS\system32\dmftdu.dll
2008-07-27 10:08:57 116352 --a------ C:\WINDOWS\system32\rvebcosk.dll
2008-07-27 05:12:14 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-26 10:05:57 116864 --a------ C:\WINDOWS\system32\sdizvp.dll
2008-07-26 10:05:56 116864 --a------ C:\WINDOWS\system32\sbtogyln.dll
2008-07-25 10:08:39 94848 --a------ C:\WINDOWS\system32\aoefghpq.dll
2008-07-25 10:05:40 116352 --a------ C:\WINDOWS\system32\amxwad.dll
2008-07-25 10:05:39 116352 --a------ C:\WINDOWS\system32\kbhcpmlm.dll
2008-07-22 17:35:33 0 d-------- C:\Program Files\Monopoly
2008-07-22 17:35:33 0 d-------- C:\Documents and Settings\Serio\Application Data\SpinTop
2008-07-22 10:08:05 94848 --a------ C:\WINDOWS\system32\xxnqhcuf.dll
2008-07-22 10:05:06 116352 --a------ C:\WINDOWS\system32\rinybz.dll
2008-07-22 10:05:05 116352 --a------ C:\WINDOWS\system32\pdkxtfjw.dll
2008-07-21 10:05:06 116864 --a------ C:\WINDOWS\system32\jdydsb.dll
2008-07-21 10:05:05 116864 --a------ C:\WINDOWS\system32\mpigxnht.dll
2008-07-19 20:11:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-19 20:11:21 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-19 20:11:21 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-19 20:11:21 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-19 20:11:21 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-19 20:11:20 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-19 20:11:20 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-19 20:11:20 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-18 22:02:47 788285 --ahs---- C:\WINDOWS\system32\rBJjkUtv.ini2
2008-07-18 22:02:43 322816 --a------ C:\WINDOWS\system32\vtUkjJBr.dll
2008-07-18 21:58:06 33664 --a------ C:\WINDOWS\system32\rqRKDwUo.dll
2008-07-18 21:58:06 33664 --a------ C:\WINDOWS\system32\rqRJASJD.dll
2008-07-18 21:57:41 33664 --a------ C:\WINDOWS\system32\tuvTlkiF.dll
2008-07-18 21:57:41 33664 --a------ C:\WINDOWS\system32\awtqoMgH.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-03 14:15:43 0 d-------- C:\Program Files\Java
2008-08-03 14:12:51 0 d-------- C:\Documents and Settings\Serio\Application Data\LimeWire
2008-08-03 14:07:19 0 d-------- C:\Program Files\McAfee
2008-07-27 05:12:23 0 d-------- C:\Program Files\Google
2008-07-19 20:17:03 3738 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-17 09:07:46 1372 --a------ C:\Documents and Settings\Serio\Application Data\wklnhst.dat
2008-06-26 20:40:04 0 d-------- C:\Documents and Settings\Serio\Application Data\Google
2008-06-22 19:38:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-22 19:35:52 0 d-------- C:\Program Files\AIM6
2008-06-05 20:17:05 0 d-------- C:\Program Files\NCH Software
2008-06-05 20:07:32 0 d-------- C:\Program Files\mpegable
2008-06-05 20:07:28 47104 -----n--- C:\WINDOWS\AKDeInstall.exe <Not Verified; ; DeInstall>
2008-06-05 19:45:29 0 d-------- C:\Documents and Settings\Serio\Application Data\CyberLink
2008-06-05 19:36:44 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-06-05 19:36:37 0 d-------- C:\Program Files\Common Files\DeskShare Shared
2008-06-05 19:36:36 0 d-------- C:\Program Files\Common Files
2008-06-05 19:36:33 0 d-------- C:\Program Files\Deskshare
2008-05-18 20:06:05 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-12 15:19:57 1024 --a------ C:\Documents and Settings\Serio\Application Data\WavCodec.wff


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{228D5C50-60FC-4916-8534-6DE01477B21F}]
07/18/2008 10:02 PM 322816 --a------ C:\WINDOWS\system32\vtUkjJBr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}]
07/18/2008 09:57 PM 33664 --a------ C:\WINDOWS\system32\awtqoMgH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7596334f-e1a0-4519-aee3-e317b8ccb3c3}]
08/03/2008 01:19 PM 130432 --a------ C:\WINDOWS\system32\vbaaxc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86286B2C-1E39-4E6D-AFA9-5E2BC49AE1A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8D99CE4-F912-4A31-A5B2-76AFEFE2CB9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 12:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/14/2007 12:26 PM]
"CTHelper"="CTHELPER.EXE" [11/08/2005 03:30 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [03/01/2006 07:00 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/17/2003 11:00 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [10/14/2005 09:01 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 04:07 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/10/2000 11:00 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [10/03/2006 09:35 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10/03/2006 09:37 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [11/05/2006 09:22 AM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 07:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 03:23 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/22/2007 09:05 PM]
"MDNS"="C:\WINDOWS\system32\service.exe" []
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [11/26/2007 10:46 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"f464c81d"="C:\WINDOWS\system32\agwoxokd.dll" [08/03/2008 01:21 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 01:21 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/23/2007 02:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{313907D9-4A98-43BD-BDD6-020BC0B5FB0C}"= C:\WINDOWS\system32\awtqoMgH.dll [07/18/2008 09:57 PM 33664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqoMgH]
awtqoMgH.dll 07/18/2008 09:57 PM 33664 C:\WINDOWS\system32\awtqoMgH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=vbaaxc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUkjJBr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{678d9cab-31cc-11dd-a682-001aa0b3900c}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

9053 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-03 16:32:12 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 2045.28 MiB / 1225.14 MiB
Pagefile Memory (total/avail): 3937.94 MiB / 3082.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.57 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 293.4 GiB total, 256.89 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 293.4 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Serio\Application Data
CLASSPATH=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KYLE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Serio
LOGONSERVER=\\KYLE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Serio\LOCALS~1\Temp
TMP=C:\DOCUME~1\Serio\LOCALS~1\Temp
USERDOMAIN=KYLE
USERNAME=Serio
USERPROFILE=C:\Documents and Settings\Serio
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Serio (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B026740-A400-48FF-8F6B-B37C4F61C937}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B026740-A400-48FF-8F6B-B37C4F61C937}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B49BCFF0-64CC-4E0E-AD9D-91BFBD344BAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B49BCFF0-64CC-4E0E-AD9D-91BFBD344BAE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced Decoder Patch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{46C73DE4-E96D-4F7C-8371-F28052183B12}\setup.exe" -l0x9
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Bat --> "C:\Program Files\Batco\un_BatSetup_15073.exe"
BoBaFeTT Diablo Trainer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BoBaFeTT Diablo Trainer\DUninst.isu"
Broadcom Management Programs --> MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\setup.exe" -l0x9 /remove
Dell DataSafe Online --> MsiExec.exe /I{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}
Dell Support Center --> MsiExec.exe /I{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Diablo --> C:\WINDOWS\DiabUnin.exe C:\WINDOWS\DiabUnin.dat
Diablo --> C:\WINDOWS\DiabUnin.exe C:\WINDOWS\DiabUnin.dat
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
Drakan - Order of the Flame --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Psygnosis\Drakan\Uninst.isu"
Drakan Editing Tools --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Psygnosis\Drakan\Editor\Uninst.isu"
EQWatcher Evolution (remove only) --> "C:\Program Files\EQWatcher Advanced\uninst-eqwa.exe"
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
EverQuest: Gold Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4390A22-DC75-11D6-B881-00A0CC58DEE4}\setup.exe" -l0x9
EverQuest: The Anniversary Edition --> C:\Program Files\InstallShield Installation Information\{6BB7C3F8-40EC-4ACD-8F7C-78B769B34B08}\setup.exe -runfromtemp -l0x0009 -removeonly
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Frets On Fire --> "C:\Program Files\Frets on Fire\Uninstall.exe"
FrostWire 4.13.2.0 --> C:\Program Files\FrostWire\Uninstall.exe
Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Earth --> MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.LOG"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Internet Service Offers Launcher --> MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lemonade Tycoon --> "C:\Program Files\Lemonade Tycoon\ReflexiveArcade\unins000.exe"
Lemonade Tycoon --> C:\PROGRA~1\SHOCKW~1.COM\LEMONA~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\LEMONA~1\INSTALL.LOG
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Mercenaries: Titanium Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activision\Titanium\Mercenaries\Uninst.isu"
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Monopoly --> C:\Program Files\Monopoly\uninstall.exe
mpegable DS decoder --> C:\WINDOWS\AKDeInstall.exe "/C:\Program Files\mpegable\"
Mplayer.com --> C:\Program Files\Mplayer\System\Unwise32.exe /a C:\PROGRA~1\Mplayer\System\install.log
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oni --> C:\WINDOWS\unvise32.exe C:\Program Files\Oni\uninstal.log
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Prism Video Converter --> C:\Program Files\NCH Software\Prism\uninst.exe
Quest Creator - SHAREWARE --> C:\Program Files\DatawareGames\Quest Creator Demo\Uninstal.exe
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RollerCoaster TycoonŽ 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\Setup.exe" -l0x9
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE --> MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SearchAssist --> C:\DELL\SearchAssist\UninstSA.bat
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sound Blaster X-Fi --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\setup.exe" -l0x9 /remove
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
StepMania (remove only) --> "C:\Program Files\StepMania\uninstall.exe"
Stunt Track Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Stunt Track Driver\Stunt Track Driver.isu"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall "http://javadl-esd.sun.com/update/sdm20/sdm20.jnlp"
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
ThinkTanks --> C:\PROGRA~1\SHOCKW~1.COM\THINKT~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\THINKT~1\INSTALL.LOG
Tony Hawk's Pro Skater 2 --> C:\PROGRA~1\ACTIVI~2\THPS2\UNINST~1\UNINST~1.EXE C:\Program Files\Activision Value\THPS2\uninstall\Tony Hawk's Pro Skater 2.log
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Video Edit Magic 4.4 --> "C:\Program Files\Deskshare\Video Edit Magic 4.4\unins000.exe"
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067 -->
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4242 / Warning
Event Submitted/Written: 08/03/2008 02:07:35 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type4241 / Warning
Event Submitted/Written: 08/03/2008 02:07:34 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type4224 / Error
Event Submitted/Written: 07/22/2008 09:17:59 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4221 / Error
Event Submitted/Written: 07/21/2008 01:34:21 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4220 / Error
Event Submitted/Written: 07/20/2008 10:31:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25140 / Error
Event Submitted/Written: 08/03/2008 02:04:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type25136 / Error
Event Submitted/Written: 08/03/2008 01:17:35 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.1.101 on the
Network Card with network address 001AA0B3900C.

Event Record #/Type25135 / Warning
Event Submitted/Written: 08/03/2008 01:17:35 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001AA0B3900C. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type25133 / Error
Event Submitted/Written: 07/29/2008 09:02:49 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.101 for the Network Card with network address 001AA0B3900C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type25132 / Error
Event Submitted/Written: 07/28/2008 09:02:46 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.101 for the Network Card with network address 001AA0B3900C has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-08-03 16:32:12 ------------

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 23:04:12
Records in database: 1049374


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 104484
Threat name 16
Infected objects 110
Suspicious objects 0
Duration of the scan 00:51:37

File name Threat name Threats count
C:\WINDOWS\system32\awtqoMgH.dll/C:\WINDOWS\system32\awtqoMgH.dll Infected: Trojan.Win32.Vapsup.itu 4

C:\WINDOWS\system32\vbaaxc.dll/C:\WINDOWS\system32\vbaaxc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 37

C:\WINDOWS\System32\vbaaxc.dll/C:\WINDOWS\System32\vbaaxc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 2

C:\WINDOWS\system32\agwoxokd.dll/C:\WINDOWS\system32\agwoxokd.dll Infected: Trojan.Win32.Monder.cet 27

C:\WINDOWS\SYSTEM32\vbaaxc.dll/C:\WINDOWS\SYSTEM32\vbaaxc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\Documents and Settings\Serio\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1

C:\Documents and Settings\Serio\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Serio\Desktop\SmitfraudFix.exe Infected: Hoax.Win32.Renos.vaoz 1

C:\Documents and Settings\Serio\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\6JAV03Y3\kb456456[1] Infected: Trojan.Win32.Monder.bdx 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\6JAV03Y3\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\IDZ4T8JM\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.adwl 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\M5U1EF09\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bvc 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\QDYH8HI7\kb456456[1] Infected: Trojan.Win32.Monder.cet 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\TKOBL9CX\kb767887[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.adwm 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\TKOBL9CX\kb767887[2] Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\VVDNJXOS\kb456456[1] Infected: Trojan.Win32.Monder.bma 1

C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\VVDNJXOS\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1

C:\RECYCLER\S-1-5-21-499846286-147371393-4230342419-1005\Dc176\IEDFix.exe Infected: Hoax.Win32.Renos.vatl 1

C:\RECYCLER\S-1-5-21-499846286-147371393-4230342419-1005\Dc177\IEDFix.exe Infected: Hoax.Win32.Renos.vatl 1

C:\RECYCLER\S-1-5-21-499846286-147371393-4230342419-1005\Dc191\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1

C:\WINDOWS\system32\agwoxokd.dll Infected: Trojan.Win32.Monder.cet 1

C:\WINDOWS\system32\amxwad.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\system32\aoefghpq.dll Infected: Trojan.Win32.Monder.avp 1

C:\WINDOWS\system32\awtqoMgH.dll Infected: Trojan.Win32.Vapsup.itu 1

C:\WINDOWS\system32\bcwvuitu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.adwm 1

C:\WINDOWS\system32\dmftdu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvc 1

C:\WINDOWS\system32\dsbnmxus.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\WINDOWS\system32\fwzqfh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.adwm 1

C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1

C:\WINDOWS\system32\jdydsb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.caj 1

C:\WINDOWS\system32\kbhcpmlm.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\system32\mpigxnht.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.caj 1

C:\WINDOWS\system32\pdkxtfjw.dll Infected: Trojan.Win32.Monder.axp 1

C:\WINDOWS\system32\rgswar.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1

C:\WINDOWS\system32\rinybz.dll Infected: Trojan.Win32.Monder.axp 1

C:\WINDOWS\system32\rqRJASJD.dll Infected: Trojan.Win32.Vapsup.itu 1

C:\WINDOWS\system32\rqRKDwUo.dll Infected: Trojan.Win32.Vapsup.itu 1

C:\WINDOWS\system32\ruqtspel.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1

C:\WINDOWS\system32\rvebcosk.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvc 1

C:\WINDOWS\system32\sbtogyln.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\system32\sdizvp.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\system32\tuvTlkiF.dll Infected: Trojan.Win32.Vapsup.itu 1

C:\WINDOWS\system32\vbaaxc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 03:07 PM

Hello ms3,

Sorry for the delay, but we have many logs backed up.


Just a note:
Please refrain from using any Peer 2 Peer (Limewire) until your system is clean.

At one time P2P file sharing was fairly safe. That is no longer true. This practice is probably the source of your current malware infestation.

I strongly recommend uninstalling Limewire.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process.

By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer.

The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network.
However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection.
That is because the files you are downloading may actually contain a disguised threat.
Many very malicious worms and trojans, spread across P2P files sharing networks because of their known vulnerabilities.



Please download Malwarebytes' Anti-Malware from Here or Here

I notice that you have Spybot's TeaTimer running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes.
So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.



Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 09 August 2008 - 03:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 04:27 PM

SifuMike: I hope I have done what you suggested, your very easy to follow step by step instructions for dummys like me was great until you got to the last part about replying- this is my first time with any type of scans and logs and posts. Finding the logs tab in MBAB eluded me for a while, but I think I got it.
If you could, more advice on how to avoid getting malware would be appreciated- perhaps you could direct me to some good sources of information.
Thank you

Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

2:03:54 PM 8/9/2008
mbam-log-8-9-2008 (14-03-54).txt

Scan type: Quick Scan
Objects scanned: 54014
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 14
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 68

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\afjtmecg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\agwoxokd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eegrsuhx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eslhouyb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pxntgldl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vtUkjJBr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xnygeadu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxockfku.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtqoMgH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vbaaxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awiureko.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ekioiyys.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lwekpqou.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ttolnosd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63207815-7684-4949-8d95-64e328a4a1bb} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{63207815-7684-4949-8d95-64e328a4a1bb} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqomgh (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e080e19-80fa-4aa6-95c7-a45be90a781e} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f464c81d (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{313907d9-4a98-43bd-bdd6-020bc0b5fb0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.35.0 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukjjbr -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukjjbr -> Delete on reboot.

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\Batco (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\vtUkjJBr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rBJjkUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rBJjkUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afjtmecg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gcemtjfa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agwoxokd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dkoxowga.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aoefghpq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qphgfeoa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eegrsuhx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xhusrgee.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eslhouyb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\byuohlse.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxntgldl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ldlgtnxp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnygeadu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\udaegynx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxnqhcuf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuchqnxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxockfku.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ukfkcoxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqoMgH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vbaaxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awiureko.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ekioiyys.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lwekpqou.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ttolnosd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kbhcpmlm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvTlkiF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bcwvuitu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bnwrkh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwbhhiwp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfiqyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rgswar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJASJD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKDwUo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdizvp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amxwad.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dsbnmxus.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iejbcl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ruqtspel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rvebcosk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mpigxnht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdydsb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fvjdms.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwzqfh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsgsle.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sbtogyln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\41EBWTKR\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\41EBWTKR\kb456456[2] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\41EBWTKR\kb456456[3] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\4VRJMWP5\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\IDZ4T8JM\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\KB0RUJWB\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\SPUR0JQD\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\SPUR0JQD\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\SPUR0JQD\kb767887[2] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\TKOBL9CX\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\VVDNJXOS\kb767887[2] (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Batco\bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\un_BatSetup_15073.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\un_BatSetup_15073.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Batco\X_bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Serio\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.




Deckard's System Scanner v20071014.68
Run by Serio on 2008-08-09 14:13:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 14:14:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Program Files\McAfee\VirusScan\mcvsshld.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Serio\Local Settings\Temporary Internet Files\Content.IE5\41EBWTKR\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070817
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {228D5C50-60FC-4916-8534-6DE01477B21F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {86286B2C-1E39-4E6D-AFA9-5E2BC49AE1A5} - (no file)
O2 - BHO: (no name) - {A8D99CE4-F912-4A31-A5B2-76AFEFE2CB9C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Serio\Local Settings\Temp\{044511C8-60B2-4A80-AB4A-07B0FFFB1333}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204518448187
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - AppInit_DLLs: vbaaxc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: - http://91.121.132.199/gifs/79.gifO24 - Desktop Component 1: - http://91.121.71.200/gifs/790.gif

--
End of file - 11345 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 13:41:36 0 d-------- C:\Documents and Settings\Serio\Application Data\Malwarebytes
2008-08-09 13:41:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 13:41:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:25:42 120448 --a------ C:\WINDOWS\system32\vfrumc.dll
2008-08-09 13:25:41 120448 --a------ C:\WINDOWS\system32\syacqleu.dll
2008-08-03 14:11:39 0 d-------- C:\Documents and Settings\Serio\.SunDownloadManager
2008-08-03 14:06:03 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-27 05:12:14 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-22 17:35:33 0 d-------- C:\Program Files\Monopoly
2008-07-22 17:35:33 0 d-------- C:\Documents and Settings\Serio\Application Data\SpinTop
2008-07-22 10:05:06 116352 --a------ C:\WINDOWS\system32\rinybz.dll
2008-07-22 10:05:05 116352 --a------ C:\WINDOWS\system32\pdkxtfjw.dll
2008-07-19 20:11:21 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-19 20:11:21 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-19 20:11:21 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-19 20:11:21 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-19 20:11:21 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-19 20:11:20 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-19 20:11:20 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-19 20:11:20 51200 --a------ C:\WINDOWS\system32\dumphive.exe


-- Find3M Report ---------------------------------------------------------------

2008-08-09 14:05:19 0 d-------- C:\Program Files\McAfee
2008-08-09 13:29:09 0 d-------- C:\Program Files\LimeWire
2008-08-03 17:32:53 0 d-------- C:\Documents and Settings\Serio\Application Data\LimeWire
2008-08-03 17:31:06 1372 --a------ C:\Documents and Settings\Serio\Application Data\wklnhst.dat
2008-08-03 14:15:43 0 d-------- C:\Program Files\Java
2008-07-27 05:12:23 0 d-------- C:\Program Files\Google
2008-07-19 20:17:03 3738 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 20:40:04 0 d-------- C:\Documents and Settings\Serio\Application Data\Google
2008-06-22 19:38:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-22 19:35:52 0 d-------- C:\Program Files\AIM6
2008-06-05 20:07:28 47104 -----n--- C:\WINDOWS\AKDeInstall.exe <Not Verified; ; DeInstall>
2008-06-05 19:36:44 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-18 20:06:05 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-12 15:19:57 1024 --a------ C:\Documents and Settings\Serio\Application Data\WavCodec.wff


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{228D5C50-60FC-4916-8534-6DE01477B21F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86286B2C-1E39-4E6D-AFA9-5E2BC49AE1A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8D99CE4-F912-4A31-A5B2-76AFEFE2CB9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 12:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/14/2007 12:26 PM]
"CTHelper"="CTHELPER.EXE" [11/08/2005 03:30 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [03/01/2006 07:00 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/17/2003 11:00 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [10/14/2005 09:01 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 04:07 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/10/2000 11:00 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [10/03/2006 09:35 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10/03/2006 09:37 AM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [11/05/2006 09:22 AM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [08/17/2006 07:00 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 03:23 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/22/2007 09:05 PM]
"MDNS"="C:\WINDOWS\system32\service.exe" []
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [11/26/2007 10:46 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 01:21 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/23/2007 02:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=vbaaxc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{678d9cab-31cc-11dd-a682-001aa0b3900c}]
play\Command- "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"




-- End of Deckard's System Scanner: finished at 2008-08-09 14:14:32 ------------

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 04:46 PM

Hi ms3,

If you could, more advice on how to avoid getting malware would be appreciated- perhaps you could direct me to some good sources of information.


I will give you my prevention speech after we removal all the malware on this computer. :thumbsup:


Since you are still infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus and before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 06:30 PM

the computer went to a blue screen after about stage 20. I rebooted and it appears ok. should I try to run combofix again?
This is the txt file I found.

ComboFix 08-08-09.02 - Serio 2008-08-09 16:15:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -7:00]
Running from: C:\Documents and Settings\Serio\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 06:54 PM

ComboFix 08-08-09.02 - Serio 2008-08-09 16:15:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -7:00]
Running from: C:\Documents and Settings\Serio\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


You did not disable your McAfee antivirus. :thumbsup:

Be sure you disable McAfee and any other anti malware programs before running ComboFix.

Also, you need to be sure you let ComboFix complete running. Be patient as it may take 40 minutes

Run ComboFix again and post the log it produces.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 07:16 PM

Right clicking on the McAffee icon in the tray does not yield an Exit option. I went into the control center and disabled everything I could find. any other suggestions?

#8 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 07:30 PM

I went back into McAffee, found some more stuff to disable, started Combofix again and then when a McAffee error note popped up, I sent the last post. The combofix did finish running though, so here it is.
Thanks


ComboFix 08-08-09.02 - Serio 2008-08-09 17:10:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -7:00]
Running from: C:\Documents and Settings\Serio\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\beep.sys
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\Serio\Application Data\macromedia\Flash Player\#SharedObjects\N7ABLDJH\interclick.com
C:\Documents and Settings\Serio\Application Data\macromedia\Flash Player\#SharedObjects\N7ABLDJH\interclick.com\ud.sol
C:\Documents and Settings\Serio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Serio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\glpfnxdo.ini
C:\WINDOWS\system32\hixloqfr.ini
C:\WINDOWS\system32\hyefdcga.ini
C:\WINDOWS\system32\mmkjcnjg.ini
C:\WINDOWS\system32\mtefxtvi.ini
C:\WINDOWS\system32\ntqmynmd.ini
C:\WINDOWS\system32\nxuhdvuj.ini
C:\WINDOWS\system32\pdkxtfjw.dll
C:\WINDOWS\system32\rinybz.dll
C:\WINDOWS\system32\swjvcukt.ini
C:\WINDOWS\system32\syacqleu.dll
C:\WINDOWS\system32\ufgpjhax.ini
C:\WINDOWS\system32\vfrumc.dll
C:\WINDOWS\system32\vulewwfr.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 13:41 . 2008-08-09 13:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 13:41 . 2008-08-09 13:41 <DIR> d-------- C:\Documents and Settings\Serio\Application Data\Malwarebytes
2008-08-09 13:41 . 2008-08-09 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 13:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 17:31 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-03 17:31 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-03 16:29 . 2008-08-03 16:29 <DIR> d-------- C:\Deckard
2008-08-03 14:15 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-03 14:11 . 2008-08-03 14:14 <DIR> d-------- C:\Documents and Settings\Serio\.SunDownloadManager
2008-07-22 17:35 . 2008-07-22 17:36 <DIR> d-------- C:\Program Files\Monopoly
2008-07-22 17:35 . 2008-07-22 17:35 <DIR> d-------- C:\Documents and Settings\Serio\Application Data\SpinTop
2008-07-19 20:11 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-19 20:11 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-19 20:11 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-19 20:11 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-19 20:11 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-19 20:11 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-19 20:11 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-19 20:11 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-19 20:11 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 21:05 --------- d-----w C:\Program Files\McAfee
2008-08-09 20:29 --------- d-----w C:\Program Files\LimeWire
2008-08-09 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 00:32 --------- d-----w C:\Documents and Settings\Serio\Application Data\LimeWire
2008-08-04 00:31 1,372 ----a-w C:\Documents and Settings\Serio\Application Data\wklnhst.dat
2008-08-03 21:15 --------- d-----w C:\Program Files\Java
2008-07-27 12:12 --------- d-----w C:\Program Files\Google
2008-07-23 01:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-23 02:38 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-23 02:35 --------- d-----w C:\Program Files\AIM6
2008-06-23 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-23 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 03:07 47,104 ------w C:\WINDOWS\AKDeInstall.exe
2008-06-06 02:36 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 13:21 50528]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-23 14:43 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-14 12:26 7774208]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 23:00 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 09:01 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 16:07 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 09:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 09:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 09:22 221184]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 07:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 15:23 118784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-22 21:05 155648]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-11-26 10:46 141640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CTHelper"="CTHELPER.EXE" [2005-11-08 03:30 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 19:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vbaaxc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-14 21:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{678d9cab-31cc-11dd-a682-001aa0b3900c}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{228D5C50-60FC-4916-8534-6DE01477B21F} - (no file)
BHO-{86286B2C-1E39-4E6D-AFA9-5E2BC49AE1A5} - (no file)
BHO-{A8D99CE4-F912-4A31-A5B2-76AFEFE2CB9C} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://everquest.allakhazam.com/
R0 -: HKLM-Main,Start Page = hxxp://everquest.allakhazam.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\stg_drm.ocx

O16 -: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://C:\Program Files\Monopoly\Images\armhelper.ocx
C:\WINDOWS\Downloaded Program Files\armhelper.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 17:14:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-09 17:17:26 - machine was rebooted [Serio]
ComboFix-quarantined-files.txt 2008-08-10 00:17:22

Pre-Run: 275,995,832,320 bytes free
Post-Run: 275,980,447,744 bytes free

205 --- E O F --- 2008-07-10 10:00:36

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 07:58 PM

Hi ms3,

Looks good. :thumbsup:

Lets make sure there are no remenents lurking.

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply along with a fresh Hijackthis log.

Edited by SifuMike, 09 August 2008 - 07:59 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 10:25 PM

heres what I got
Thank you

--------------------------------------------------------------------------------




KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 02:11:32
Records in database: 1076983
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 92755
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 00:57:07


File name / Threat name / Threats count
C:\Documents and Settings\Serio\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Serio\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Serio\Desktop\SmitfraudFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Serio\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pdkxtfjw.dll.vir Infected: Trojan.Win32.Monder.axp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rinybz.dll.vir Infected: Trojan.Win32.Monder.axp 1
C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:10 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Serio\My Documents\New Folder\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070817
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Serio\Local Settings\Temp\{044511C8-60B2-4A80-AB4A-07B0FFFB1333}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204518448187
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O20 - AppInit_DLLs: vbaaxc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://91.121.132.199/gifs/79.gif
O24 - Desktop Component 1: (no name) - http://91.121.71.200/gifs/790.gif

--
End of file - 9730 bytes

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 10:41 PM

Hi ms3,

Kaspersky found files from SmitfraudFix and quarented files, so we can leave them. :thumbsup:

We only have a few more items to remove.

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O20 - AppInit_DLLs: vbaaxc.dll


Close all browsers and other windows except for HijackThis, and click "Fix checked"


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 ms3

ms3
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 09 August 2008 - 11:42 PM

It deleted my log in info- took me a while to figure out why I couldn't post like before. It's getting late!
Here is the Hijack log.
thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:07 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Serio\My Documents\New Folder\HiJackThis.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070817
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Serio\Local Settings\Temp\{044511C8-60B2-4A80-AB4A-07B0FFFB1333}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204518448187
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O24 - Desktop Component 0: (no name) - http://91.121.132.199/gifs/79.gif
O24 - Desktop Component 1: (no name) - http://91.121.71.200/gifs/790.gif

--
End of file - 9459 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 09 August 2008 - 11:49 PM

Hi ms3,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:03 AM

Posted 19 August 2008 - 11:58 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users