Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 Removal Help/am I Infected? Can't Open Malware Removal Forum


  • Please log in to reply
3 replies to this topic

#1 melflugstad

melflugstad

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 05 August 2008 - 02:55 PM

Staff Advisory: This post needs to remain here until one of the malware team advise that it can be moved. This member cannot access our malware forums due to their infection. ~ Animal

----------------------------------------------------------------------------------------------------------------------


Hello, I got some help from some nice people in the live chat. I have made a log with your hijackprogram and am posting it at the bottom. It created two .txt files so there are two reports. I am unable to open ANY link that has the words anti-spyware anywhere on the page or in the address bar so unfortunately I cannot post this in the malware removal forum because the internet window closes every time.
I am in dire need of some help! I have a subscription to spy sweeper and it is keeping things out but I was infected with Antivirus xp 2008 and possibly some viruses because the computer was un-protected for about a month while I was in the hospital..
I run with Windows XP and a wireless connection. If someone could take the time to look at this for me I would be so incredibly thankful! I offer my services as a photographer/graphic artist/professional gift shopper/myspace designer/beginner web designer. You can see what I do at www.perfectionpictures.com and contact me if you need anything at all!


Current Symptoms (in the order of appearance)

Random Total system crash then restart then blue screen then back to windows. msvcp71.exe is missing so a program is being prevented from opening and an error box notifies me as such every time I log on.
When the computer is left on and idle it goes to a blue screen then restarts then blue screen then restarts *doesn't look real though, like it's a screen saver designed to imitate a blue screen? Whoever made this thing thought of EVerything.
It won't uninstall in add/remove or from program files, and its' files and icons are locked from being deleted. It has taken over the desktop picture and won't let you change it as the desktop tab has disappeared from Properties. It locked www.freewebportal.com for my homepage and locked me from changing it in Tools, it constantly changes my internet options to allow popups, the popups sometimes freeze the computer as it starts freaking out and opens upwards of 54 internet explorer windows at one time and if you try to close them the number goes down but right back up, it has little start menu notifications come up saying I have 2577 viruses, the program itself automatically opens at startup and then randomly aftwerwards and automatically scans, it prevents my antivirus and anti-malware programs from opening although the program seems to be active and gives me notifications of malware that the desktop firewall blocks. It's in the process of trying to prevent Firefox from starting up although it doesn't stop internet explorer from opening. When I'm surfing with internet explorer, randomly I am routed to a page saying that I'm unprotected and then re-routes me to the ordering page for Antivirus 2008.

I'm sure there's more but that's all I can remember right now.



Heres the reports:


Deckard's System Scanner v20071014.68
Run by nomore_43 on 2008-08-05 13:02:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-08-05 19:02:29 UTC - RP10 - Deckard's System Scanner Restore Point
2: 2008-08-05 13:25:37 UTC - RP9 - Software Distribution Service 3.0
1: 2008-08-05 05:21:12 UTC - RP8 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-05 13:08:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\3D-Relax\Living 3D Fireplace Trial\trioService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\system32\lphcnwfj0e5cr.exe
C:\Program Files\rhcjwfj0e5cr\rhcjwfj0e5cr.exe
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\pphcnwfj0e5cr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nomore_43\Desktop\mbam-setup.exe
C:\DOCUME~1\NOMORE~1\LOCALS~1\Temp\is-8347H.tmp\mbam-setup.tmp
C:\Documents and Settings\nomore_43\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "C:\WINDOWS\system32\HDAShCut.exe"
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QUICKCARE] "C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" /P QUICKCARE
O4 - HKLM\..\Run: [trioService] "C:\Program Files\3D-Relax\Living 3D Fireplace Trial\trioService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplorer.exe
O4 - HKLM\..\Run: [lphcnwfj0e5cr] "C:\WINDOWS\system32\lphcnwfj0e5cr.exe"
O4 - HKLM\..\Run: [SMrhcjwfj0e5cr] "C:\Program Files\rhcjwfj0e5cr\rhcjwfj0e5cr.exe"
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/8/b...heckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3AA42713-5C1E-48E2-B432-D8BF420DD31D} () - http://antivirus-scanonline.com/AntvrsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194127732210
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://fortunelounge.microgaming.com/generic/FlashAX.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\cru629.dat
O21 - SSODL: GGsjpRJLGSd - {F4C21FFB-5E68-B551-9B90-31E6C3F712CF} - C:\WINDOWS\system32\quqqpm.dll (file missing)
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: Webroot Desktop Firewall network service (wdfnet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 11530 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
R3 sysrest.sys - c:\windows\system32\sysrest.sys

S0 szkg5 (szkg) - c:\windows\system32\drivers\szkg.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe (file missing)
S2 SpywareCleanerService - c:\program files\spyware cleaner\scservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-05 12:56:02 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-30 13:31:38 1538 --a------ C:\WINDOWS\Tasks\wrSpySweeperFullSweep.job


-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-07-31 19:41:09 109150 --a------ C:\WINDOWS\system32\drivers\f9bcfe6a.sys
2008-07-31 07:19:02 0 d-------- C:\Documents and Settings\Pookies' Ma\Contacts
2008-07-30 16:38:06 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\ArcSoft
2008-07-30 16:21:02 94208 --a------ C:\WINDOWS\system32\pphcnwfj0e5cr.exe
2008-07-30 15:55:45 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\Mozilla
2008-07-30 14:23:39 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\rhcjwfj0e5cr
2008-07-30 13:36:23 0 d-------- C:\Documents and Settings\nomore_43\Application Data\Webroot
2008-07-30 13:33:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-30 13:31:17 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\Webroot
2008-07-30 13:31:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-07-30 13:31:16 0 d-------- C:\Program Files\AskSBar
2008-07-30 12:49:26 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\Adobe
2008-07-30 12:49:06 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\Google
2008-07-30 12:48:23 0 d-------- C:\Documents and Settings\Pookies' Ma\Application Data\Real
2008-07-30 12:43:04 0 d-------- C:\Documents and Settings\nomore_43\Desktop
2008-07-30 12:15:12 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia
2008-07-30 12:13:20 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-07-30 12:13:02 0 d-------- C:\Documents and Settings\Guest\Application Data\Google
2008-07-30 12:12:21 0 d-------- C:\Documents and Settings\Guest\Application Data\Real
2008-07-30 12:11:38 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-07-30 12:11:38 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-07-30 12:11:38 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-07-30 12:11:38 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-07-30 12:11:38 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-07-30 12:11:38 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-07-30 12:11:38 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-07-30 12:11:38 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-07-30 12:11:38 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2008-07-30 12:11:38 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-07-30 12:11:38 0 d-------- C:\Documents and Settings\Guest\Application Data\You've Got Pictures Screensaver
2008-07-30 12:11:38 0 d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2008-07-30 12:11:38 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-07-30 12:11:38 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-07-30 12:11:37 0 d-------- C:\Documents and Settings\Guest\WINDOWS
2008-07-30 12:11:37 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-07-30 12:11:37 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-07-30 12:11:37 1048576 --a------ C:\Documents and Settings\Guest\NTUser.dat
2008-07-30 11:56:43 0 d-------- C:\Documents and Settings\Administrator.SPANKY\Application Data\Adobe
2008-07-30 10:12:12 0 d-------- C:\Documents and Settings\Administrator.SPANKY\Application Data\rhcjwfj0e5cr
2008-07-23 11:56:04 0 d-------- C:\Documents and Settings\nomore_43\Application Data\rhcjwfj0e5cr
2008-07-23 11:55:40 0 d-------- C:\Program Files\rhcjwfj0e5cr
2008-07-23 11:55:21 60928 --a------ C:\WINDOWS\system32\blphcnwfj0e5cr.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-23 11:55:19 110080 --a------ C:\WINDOWS\system32\lphcnwfj0e5cr.exe
2008-07-21 02:56:18 12733 --a------ C:\WINDOWS\system32\yhisat.dll
2008-07-21 02:56:18 14963 --a------ C:\WINDOWS\system32\ryweke.bin
2008-07-21 02:56:18 13894 --a------ C:\WINDOWS\system32\diruna.reg
2008-07-21 02:56:18 13310 --a------ C:\WINDOWS\exubiku.scr
2008-07-21 02:56:18 13998 --a------ C:\Program Files\Common Files\ikasyxac.sys
2008-07-21 02:56:18 10356 --a------ C:\Program Files\Common Files\bypijama.pif
2008-07-21 02:56:18 13331 --a------ C:\Documents and Settings\nomore_43\Application Data\zyhev.com
2008-07-21 02:56:18 16264 --a------ C:\Documents and Settings\nomore_43\Application Data\tawired.pif
2008-07-21 02:56:18 19844 --a------ C:\Documents and Settings\nomore_43\Application Data\jaqafenid.pif
2008-07-21 02:56:18 18988 --a------ C:\Documents and Settings\nomore_43\Application Data\eryxuqyrig.bat
2008-07-21 02:56:18 12221 --a------ C:\Documents and Settings\nomore_43\Application Data\elase.com
2008-07-21 02:56:18 18665 --a------ C:\Documents and Settings\All Users\Application Data\cucugun.com
2008-07-21 02:56:18 13950 --a------ C:\Documents and Settings\All Users\Application Data\abyjypi.bat
2008-07-20 23:22:22 11747 --a------ C:\Program Files\Common Files\obex.com
2008-07-20 23:22:22 10835 --a------ C:\Program Files\Common Files\luju.com
2008-07-20 23:22:22 13784 --a------ C:\Documents and Settings\nomore_43\Application Data\ofat.dll
2008-07-20 23:22:22 16963 --a------ C:\Documents and Settings\nomore_43\Application Data\aqejakuwij.scr
2008-07-20 23:22:22 18052 --a------ C:\Documents and Settings\All Users\Application Data\ysemoricy.bat
2008-07-20 16:39:51 11915 --a------ C:\WINDOWS\system32\duhyrab.scr
2008-07-20 16:39:51 16550 --a------ C:\WINDOWS\nuxov.dat
2008-07-20 16:39:51 10541 --a------ C:\WINDOWS\bigecosyqo.bat
2008-07-20 16:39:51 17538 --a------ C:\WINDOWS\bekodyx.bin
2008-07-20 16:39:51 19938 --a------ C:\Program Files\Common Files\imoqosil.sys
2008-07-20 16:39:51 16246 --a------ C:\Program Files\Common Files\idedy.reg
2008-07-20 16:39:51 12549 --a------ C:\Documents and Settings\nomore_43\Application Data\agab.vbs
2008-07-20 16:39:51 14237 --a------ C:\Documents and Settings\All Users\Application Data\omad.exe
2008-07-20 16:39:51 15751 --a------ C:\Documents and Settings\All Users\Application Data\avytedem.bin
2008-07-20 16:39:51 12942 --a------ C:\Documents and Settings\All Users\Application Data\ahyloqavu.scr
2008-07-20 07:10:04 16998 --a------ C:\WINDOWS\tisulosada.pif
2008-07-20 07:10:04 10895 --a------ C:\WINDOWS\system32\ahux.dat
2008-07-20 07:10:04 16852 --a------ C:\WINDOWS\gakojopoxi.bin
2008-07-20 07:10:04 18693 --a------ C:\WINDOWS\esugyrafoq.reg
2008-07-20 07:10:04 17181 --a------ C:\WINDOWS\elij.com
2008-07-20 07:10:04 11262 --a------ C:\Program Files\Common Files\racywek.bin
2008-07-20 07:10:04 18509 --a------ C:\Documents and Settings\nomore_43\Application Data\obirokepy.com
2008-07-20 07:10:04 19043 --a------ C:\Documents and Settings\nomore_43\Application Data\esyvys.bat
2008-07-20 07:10:04 14904 --a------ C:\Documents and Settings\nomore_43\Application Data\baji.dll
2008-07-20 07:10:04 12429 --a------ C:\Documents and Settings\All Users\Application Data\zysyfurada.vbs
2008-07-20 07:10:04 17013 --a------ C:\Documents and Settings\All Users\Application Data\teciwutera.bin
2008-07-20 07:10:04 19272 --a------ C:\Documents and Settings\All Users\Application Data\qiqetenuno.bat
2008-07-19 20:17:51 14502 --a------ C:\WINDOWS\system32\ytawujod.com
2008-07-19 20:17:51 16955 --a------ C:\WINDOWS\system32\vare.exe
2008-07-19 20:17:51 18136 --a------ C:\WINDOWS\hepebamux.dll
2008-07-19 20:17:51 13379 --a------ C:\WINDOWS\henoriwiwa.dat
2008-07-19 20:13:35 304332 --a------ C:\WINDOWS\system32\winivstr.exe


-- Find3M Report ---------------------------------------------------------------

2008-08-04 17:22:26 0 d-------- C:\Program Files\Webroot
2008-07-30 19:33:43 0 d-------- C:\Documents and Settings\nomore_43\Application Data\Mozilla
2008-07-30 13:00:30 164 --a------ C:\install.dat
2008-07-30 12:48:43 0 d-------- C:\Program Files\WAV
2008-07-30 10:30:28 0 d-------- C:\Program Files\Microsoft Works
2008-07-21 02:56:18 0 d-------- C:\Program Files\Common Files
2008-07-20 23:22:22 15784 --a------ C:\Program Files\Common Files\ykasa.ban
2008-07-20 23:22:22 19185 --a------ C:\Documents and Settings\nomore_43\Application Data\ulufyso._sy
2008-07-20 23:22:22 12670 --a------ C:\Documents and Settings\nomore_43\Application Data\sovax._dl
2008-07-20 16:39:51 10479 --a------ C:\Program Files\Common Files\vumukypo.db
2008-07-20 16:39:51 15869 --a------ C:\Program Files\Common Files\ucun.db
2008-07-20 16:39:51 18831 --a------ C:\Documents and Settings\nomore_43\Application Data\ezof._dl
2008-07-20 16:39:51 18021 --a------ C:\Documents and Settings\nomore_43\Application Data\adiqyvos.inf
2008-07-20 15:02:45 0 d-------- C:\Documents and Settings\nomore_43\Application Data\Move Networks
2008-07-20 07:10:04 18829 --a------ C:\Program Files\Common Files\wugaducajy._dl
2008-07-20 07:10:04 11329 --a------ C:\Program Files\Common Files\eqogun.inf
2008-07-20 07:10:04 15848 --a------ C:\Documents and Settings\nomore_43\Application Data\getuly.dl
2008-07-19 22:46:25 0 d-------- C:\Program Files\Yahoo!
2008-07-19 20:17:51 14517 --a------ C:\Program Files\Common Files\ruzeqiti._dl
2008-07-19 20:17:51 19499 --a------ C:\Documents and Settings\nomore_43\Application Data\axokyg.lib
2008-07-06 16:40:47 0 d-------- C:\Documents and Settings\nomore_43\Application Data\uTorrent
2008-07-04 21:57:43 36352 --a------ C:\WINDOWS\iexplorer.exe <Not Verified; www.; World.WideWeb.>
2008-06-30 22:33:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-22 20:50:56 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-06-22 20:35:26 0 d-------- C:\Program Files\Firaxis Games
2008-06-15 13:01:13 0 d-------- C:\Program Files\ConsoleClassix.com
2008-06-10 08:39:52 0 d-------- C:\Program Files\CoffeeCup Software
2008-06-08 08:38:14 0 d-------- C:\Documents and Settings\nomore_43\Application Data\MSNInstaller
2008-06-08 08:37:03 0 d-------- C:\Program Files\Online Services
2008-06-07 21:27:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-06 22:24:48 0 d-------- C:\Program Files\Common Files\Java
2008-06-06 22:24:48 0 d-------- C:\Documents and Settings\nomore_43\Application Data\Real
2008-06-06 19:53:03 0 d-------- C:\Program Files\Google
2008-05-08 03:05:06 1 --a------ C:\WINDOWS\system32\kl_done


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
07/30/2008 01:31 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
07/30/2008 01:31 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 04:04 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]
"High Definition Audio Property Page Shortcut"="C:\WINDOWS\system32\HDAShCut.exe" [01/07/2005 06:07 PM]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [06/01/2005 05:56 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/25/2005 11:32 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/25/2005 11:29 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/25/2005 11:32 AM]
"RTHDCPL"="C:\WINDOWS\RTHDCPL.EXE" [07/13/2005 11:37 AM]
"Alcmtr"="C:\WINDOWS\ALCMTR.EXE" [05/03/2005 07:43 PM]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 09:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/26/2005 06:42 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [11/07/2006 10:07 PM]
"trioService"="C:\Program Files\3D-Relax\Living 3D Fireplace Trial\trioService.exe" [02/09/2006 02:07 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/28/2007 03:05 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Explorer"="C:\WINDOWS\iexplorer.exe" [07/04/2008 09:57 PM]
"lphcnwfj0e5cr"="C:\WINDOWS\system32\lphcnwfj0e5cr.exe" [07/23/2008 11:55 AM]
"SMrhcjwfj0e5cr"="C:\Program Files\rhcjwfj0e5cr\rhcjwfj0e5cr.exe" [07/23/2008 09:27 AM]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [07/31/2008 07:18 AM]
"@"="" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [10/20/2007 01:20 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep.exe" [08/04/2004 01:00 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07/13/2008 09:53 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=1 (0x1)
"NoDispBackgroundPage"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GGsjpRJLGSd"= {F4C21FFB-5E68-B551-9B90-31E6C3F712CF} - C:\WINDOWS\system32\quqqpm.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com

844 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-05 13:12:16 ------------






*****************************************************************************













Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.93GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 501.94 MiB / 150.69 MiB
Pagefile Memory (total/avail): 1225.66 MiB / 628.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.96 MiB

C: is Fixed (NTFS) - 145.47 GiB total, 91.22 GiB free.
D: is Fixed (FAT32) - 3.56 GiB total, 2.72 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JD-22HBC0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 145.47 GiB - C:
\PARTITION1 - Unknown - 3.57 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: Webroot Desktop Firewall v5.5.8.8 (Webroot)
AV: Webroot AntiVirus with AntiSpyware v5.8.1.47 (Webroot Software, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Documents and Settings\\Messenger\\YahooMessenger.exe"="C:\\Documents and Settings\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Disabled:µTorrent"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"="C:\\Program Files\\GhostSurf 2005\\Proxy.exe:*:Disabled:GhostSurf proxy"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Pookies' Ma\\Local Settings\\Temp\\.ttD.tmp"="C:\\Documents and Settings\\Pookies' Ma\\Local Settings\\Temp\\.ttD.tmp:*:Disabled:.ttD"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\nomore_43\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SPANKY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\nomore_43
LOGONSERVER=\\SPANKY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NOMORE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NOMORE~1\LOCALS~1\Temp
USERDOMAIN=SPANKY
USERNAME=nomore_43
USERPROFILE=C:\Documents and Settings\nomore_43
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Michael
Mel
nomore_43 (admin)
Pookies' Ma (admin)
Administrator.SPANKY (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Actiontec Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AntivirXP08 --> "C:\Program Files\rhcjwfj0e5cr\uninstall.exe"
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Celtx (0.9.9.1) --> C:\Program Files\Celtx\uninstall\uninst.exe
Civilization III Complete Edition --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2157961D-0507-44A8-BCF2-1EE2D439E8DF}
Console Classix 4.04 --> "C:\Program Files\ConsoleClassix.com\unins000.exe"
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
DirectX Media Runtime 5.1 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DXM51.INF,Uninstall.NT
Easy GIF Animator 4.3 --> "C:\Program Files\Easy GIF Animator\unins000.exe"
Easy Gif Animator Extension --> "C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_3153.exe" _?=C:\Program Files\Easy Gif Animator Extension
EPSON CX 4200 4800 Guide --> C:\Program Files\epson\guide\cx4200_4800_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\setup.exe" -l0x9 -anything
Flash Slideshow Maker Pro 4.40 --> C:\Program Files\Flash Slideshow Maker Professional\uninst.exe
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InCD EasyWrite Reader --> C:\WINDOWS\unmrw.exe /UNINSTALL
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\nomore_43\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSM32Installer --> MsiExec.exe /I{55A75679-02D1-4C8C-85CA-B4E4DF4D775F}
MSN Gaming Zone --> C:\PROGRA~1\MSNGAM~1\zsetup.exe /Uninstall
Music Creator 4 --> "C:\Program Files\Cakewalk\Music Creator 4\unins000.exe"
Myst IV - Revelation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96F702F3-7CA4-41B5-A70A-4F348DF99A9A}\setup.exe" -l0x9
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickConnect --> C:\Program Files\InstallShield Installation Information\{4998FF95-709A-430A-B104-92A009ABB848}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Qwest QuickCare 2.0 --> "C:\Program Files\Qwest\QuickCare\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Riven --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Riven\DeIsL1.isu"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spy Sweeper Core --> MsiExec.exe /I{3F5B6210-0903-4DC6-8034-8F488AA3A782}
Titanic --> C:\Program Files\CyberFlix\Titanic\TITANIC.EXE -U
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Webroot Desktop Firewall --> MsiExec.exe /X{8FD723BB-E30B-4BE9-85DD-161FD6F5B37A}
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\DOCUME~1\MESSEN~1\UNWISE.EXE /U C:\DOCUME~1\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type390 / Success
Event Submitted/Written: 08/05/2008 10:23:34 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type375 / Success
Event Submitted/Written: 08/05/2008 00:38:36 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type363 / Success
Event Submitted/Written: 08/04/2008 11:28:47 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type354 / Success
Event Submitted/Written: 08/04/2008 08:54:56 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type351 / Error
Event Submitted/Written: 08/04/2008 06:22:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application civ3conquests.exe, version 1.22.0.0, faulting module civ3conquests.exe, version 1.22.0.0, fault address 0x001cdce6.
Processing media-specific event for [civ3conquests.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type68257 / Error
Event Submitted/Written: 08/05/2008 10:23:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SpywareCleanerService service failed to start due to the following error:
%%2

Event Record #/Type68256 / Error
Event Submitted/Written: 08/05/2008 10:23:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Print Spooler service failed to start due to the following error:
%%2

Event Record #/Type68255 / Warning
Event Submitted/Written: 08/05/2008 10:21:56 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00132088CE56. The IP address being used is 169.254.148.224.

Event Record #/Type68254 / Warning
Event Submitted/Written: 08/05/2008 10:21:50 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00132088CE56. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type68247 / Error
Event Submitted/Written: 08/05/2008 07:25:38 AM
Event ID/Source: 20 / Windows Update Agent
Event Description:
Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB951376).



-- End of Deckard's System Scanner: finished at 2008-08-05 13:12:16 ------------

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:52 PM

Posted 05 August 2008 - 03:45 PM

Hi & welcome,

I would like to try a couple things before we go much further so I have a bit better picture of what is happening and can take the needed cautions.

1.) click start> run> type msconfig and hit enter.
click "boot.ini" tab
Checkmark /bootlog
Click "apply" and "close"
Reboot when asked

Locate and delete this file:

C:\windows\ntbtlog.txt (in case your extensions don't show it looks like a notepad)

Reboot

Locate & post:

C:\windows\ntbtlog.txt

2.) Click start> run> type: cmd.exe and hit enter.
type the following commands exactly as you see em & hit enter after each one:

cd c:\windows\system32
dir userinit.exe


Note the file size please & report that back to me. Leave cmd open a sec.

Back at the cmd window...
Type:

cd dllcache
dir userinit.exe
dir spoolsv.exe


Note file sizes & report that back to me.

Type exit in the CMD window & hit enter. (this closes it)

3.) Can you see also if you can get this program installed please:

http://download.bleepingcomputer.com/hijac.../HJTInstall.exe

Save file> run it> follow prompts to install excepting defaults.
Allow it to "launch" hijackthis.

Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad

Go to Edit, Select All and then Edit, Paste to paste the contents of the log here

Let me know if you had any problems with the above please.

I advise keeping the system offline as much as possible to prevent more junk from being installed.

Also --

At least one of the threats indicate backdoor activity:
http://www.sophos.com/security/analyses/vi...ojagentgin.html

This means that it is possible for others to have access to the system to download & execute files.
Your passwords could also have been stolen too so I advise you to get to a clean system to change your passwords to any sensitive sites like banking, shopping sites, ebay, PayPal, etc.
Don't use this system for the above activity till we can get it cleaned up.
If you bank or use credit cards online -- best call those companies so they can watch your accounts and advise you of any needed further actions.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:52 PM

Posted 06 August 2008 - 01:21 AM

*note*
Some discussion went on in IRC --
Note to me ..
Currently explorer.exe is not working.

-------------------------------

Ok..

I understand navigation is difficult on your computer. do the best you can please & do report any problems you have.
You may want to print out or save instructions to notepad because you can't see this page in safe mode.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

Boot to SAFE mode (no internet)

Open your task manager.
File> run> type:

"%userprofile%\desktop\combofix.exe"

then hit enter.

Let ComboFix do its thing.
When it reboots you please reboot back to safe mode (tap f8 at restart)
Let ComboFix finish.

Once it has given you the log you can close that.

Reboot back to normal mode and post this log:

C:\Combofix.txt

Also a new Hijackthis log please.

Let me know how system is running.
There will be more work to do.

--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.


Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:52 PM

Posted 07 August 2008 - 06:41 AM

You doing OK Mel?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users