Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Pop Ups, Url.adtrgt.com


  • This topic is locked This topic is locked
18 replies to this topic

#1 azwanzig

azwanzig

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 August 2008 - 11:24 PM

I'm getting periodic popups warning of possible infection and to CLICK HERE to download and install a free adware removal tool. Also getting redirects to url.adtrgt.com and other seemingly random sites with 404 and 403 errors. Spybot removed several instances of virtumonde.

Thanks in advance for your help!

HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:58 PM, on 8/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system\proxy.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\HIJACKTHIS\HijackThis2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BB6C9487-AAD6-47EE-A3FA-5432126062F2} - C:\WINNT\system32\ljJyaWmj.dll
O2 - BHO: (no name) - {F4219B3C-6844-417C-A48D-398C4F08F231} - C:\WINNT\system32\urqQkKeE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cwtray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O20 - Winlogon Notify: ljJyaWmj - C:\WINNT\SYSTEM32\ljJyaWmj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsService - Unknown owner - C:\WINNT\system\proxy.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 7780 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 05 September 2008 - 04:49 PM

Hello azwanzig,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll




  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by SifuMike, 05 September 2008 - 05:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 06 September 2008 - 11:35 AM

Hi SifuMike.

Attached are the logs requested:

*****Anti-Malware Report*****

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.0.2195 Service Pack 4

9/6/2008 9:16:33 AM
mbam-log-2008-09-06 (09-16-33).txt

Scan type: Quick Scan
Objects scanned: 44046
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\cjiqed.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb6c9487-aad6-47ee-a3fa-5432126062f2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjyawmj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb6c9487-aad6-47ee-a3fa-5432126062f2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc4c1973-1c5a-4e19-a251-ed0bb36b105f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fc4c1973-1c5a-4e19-a251-ed0bb36b105f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0fe1882a (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\ljJyaWmj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\cjiqed.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\essniphe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\ehpinsse.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\etvpqogb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\pauonwfq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\hujqkbsy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\BM0fe1882a.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BM0fe1882a.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

*****RSIT Log.txt*****

Logfile of random's system information tool (written by random/random)
Run by Administrator at 2008-09-06 09:27:52
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 38 GB (49%) free of 76 GB
Total RAM: 1023 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:01 AM, on 9/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\HIJACKTHIS\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E54E1BA-5425-4A97-B6D9-E1608853A9BB} - C:\WINNT\system32\urqQkKeE.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cwtray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 7712 bytes

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E54E1BA-5425-4A97-B6D9-E1608853A9BB}]
C:\WINNT\system32\urqQkKeE.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-05-28 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-05-28 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2004-05-12 241664]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-02-12 49152]
"NvCplDaemon"=C:\WINNT\system32\NvCpl.dll [2003-04-24 4616192]
"USB2Check"=C:\WINNT\system32\PCLECoInst.dll [2005-12-21 73728]
"Synchronization Manager"=C:\WINNT\system32\mobsync.exe [2003-07-03 111376]
"cwtray"=C:\Program Files\ContentWatch\Internet Protection\cwtray.exe [2007-10-17 403456]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2007-05-30 79408]
"{BB6C9487-AAD6-47EE-A3FA-5432126062F2}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINNT\system32\urqQkKeE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-06 09:27:52 ----D---- C:\rsit
2008-09-06 09:00:01 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-06 08:59:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-06 08:59:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 19:02:18 ----A---- C:\WINNT\system32\hqepgf.dll
2008-08-28 19:02:10 ----A---- C:\WINNT\system32\aixgvdwx.dll
2008-08-26 19:38:41 ----A---- C:\WINNT\wininit.ini
2008-08-26 12:56:17 ----A---- C:\WINNT\system32\07f17fc8-.txt
2008-08-26 12:56:03 ----ASH---- C:\WINNT\system32\EeKkQqru.ini2
2008-08-26 12:56:03 ----ASH---- C:\WINNT\system32\EeKkQqru.ini
2008-08-26 12:50:55 ----A---- C:\WINNT\VRM_Free.exe.ini
2008-08-26 12:50:35 ----AD---- C:\WINNT\system32\eMaxt19
2008-08-24 20:37:00 ----A---- C:\WINNT\mathadv.ini
2008-08-24 20:36:55 ----D---- C:\Mathadv
2008-08-24 20:36:45 ----A---- C:\WINNT\encore_launcher.ini
2008-08-23 08:50:50 ----A---- C:\WINNT\TLCAPPS.INI
2008-08-23 08:50:30 ----D---- C:\Tlcwin
2008-08-03 00:07:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 15:54:17 ----D---- C:\Program Files\eGames
2008-07-10 10:43:30 ----A---- C:\WINNT\ModemLog_Novatel Wireless Expedite EV-DO Modem #10.txt
2008-07-10 09:55:09 ----D---- C:\~QTWTMP.TMP
2008-07-08 20:30:20 ----A---- C:\WINNT\system32\IR41_32.DLL
2008-06-29 21:20:57 ----AD---- C:\WINNT\system32\Adobe
2008-06-27 14:51:57 ----A---- C:\WINNT\SPIDERCM.INI
2008-06-23 17:38:45 ----D---- C:\Program Files\LEGO Island
2008-06-23 11:06:07 ----A---- C:\WINNT\system32\kbdjpn.dll
2008-06-23 11:06:07 ----A---- C:\WINNT\system32\kbd106.dll
2008-06-22 22:14:19 ----D---- C:\TIMWIN
2008-06-21 11:19:25 ----A---- C:\WINNT\system32\VBRUN300.DLL
2008-06-21 11:19:25 ----A---- C:\WINNT\system32\QMIXER32.DLL
2008-06-21 11:19:25 ----A---- C:\WINNT\system32\CTL3D.DLL
2008-06-14 21:03:31 ----A---- C:\WINNT\game.INI
2008-06-14 21:00:12 ----D---- C:\Program Files\Nancy Drew
2008-06-11 18:15:58 ----D---- C:\WINNT\SOLCACHE
2008-06-11 18:15:58 ----D---- C:\SIERRA
2008-06-11 18:15:14 ----A---- C:\WINNT\SIERRA.INI
2008-06-08 21:13:07 ----A---- C:\WINNT\unwise.exe
2008-06-08 21:13:07 ----A---- C:\WINNT\system32\inetwh32.dll

List of drivers

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINNT\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINNT\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINNT\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINNT\System32\DRIVERS\AvgAsCln.sys [2007-05-30 10872]
R1 cdrbsdrv;cdrbsdrv; C:\WINNT\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 OMCI;OMCI; C:\WINNT\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R2 aswMon;avast! Standard Shield Support; C:\WINNT\system32\drivers\aswMon.sys [2008-01-17 93264]
R2 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\system32\System32\drivers\ws2ifsl.sys []
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 Afc;PPdus ASPI Shell; C:\WINNT\system32\drivers\Afc.sys [2006-11-10 18688]
R3 aswRdr;aswRdr; C:\WINNT\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\system32\DRIVERS\HPZid412.sys [2004-06-21 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\system32\DRIVERS\HPZipr12.sys [2004-06-21 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\system32\DRIVERS\HPZius12.sys [2004-06-21 21744]
R3 ltmodem5;LT Modem Driver; C:\WINNT\system32\DRIVERS\ltmdmnt.sys [1999-10-23 413712]
R3 nv;nv; C:\WINNT\system32\DRIVERS\nv4_mini.sys [2003-04-24 1271706]
R3 NWADI;NWADI Bus Enumerator; C:\WINNT\system32\DRIVERS\NWADIenum.sys [2007-04-19 194048]
R3 NWUSBModem;Novatel Wireless USB Modem Driver; C:\WINNT\system32\DRIVERS\nwusbmdm.sys [2007-04-19 99200]
R3 NWUSBPort;Novatel Wireless USB Status Port Driver; C:\WINNT\system32\DRIVERS\nwusbser.sys [2007-04-19 99200]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\system32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2003-06-19 19728]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\system32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\system32\DRIVERS\usbprint.sys [2003-06-19 21872]
R3 usbscan;USB Scanner Driver; C:\WINNT\system32\DRIVERS\usbscan.sys [2003-06-19 12592]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\system32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S1 cdrbsvsd;cdrbsvsd; C:\WINNT\system32\drivers\cdrbsvsd.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINNT\system32\DRIVERS\kbdhid.sys [2003-07-03 13744]
S2 hidusb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2003-07-03 13904]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 DCamUSBEMPIA;Dazzle DVC Video Device; C:\WINNT\system32\DRIVERS\emDevice.sys [2005-12-21 100957]
S3 E1000;Intel® PRO/1000 Adapter Driver; C:\WINNT\system32\DRIVERS\e1000nt5.sys [2003-03-08 126016]
S3 emAudio;Dazzle DVC Audio Device; C:\WINNT\system32\drivers\emAudio.sys [2005-12-21 19712]
S3 FiltUSBEMPIA;USB Device Lower Filter; C:\WINNT\system32\DRIVERS\emFilter.sys [2005-12-21 5245]
S3 mouhid;Mouse HID Driver; C:\WINNT\system32\DRIVERS\mouhid.sys [2003-07-03 11632]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 PalmUSBD;PalmUSBD; C:\WINNT\system32\drivers\PalmUSBD.sys [2004-04-13 16509]
S3 ScanUSBEMPIA;USB Still Image Capture Device; C:\WINNT\system32\DRIVERS\emScan.sys [2005-12-21 4493]
S3 SDTHOOK;SDTHOOK; C:\WINNT\System32\DRIVERS\SDTHOOK.sys [2007-06-05 44928]
S3 Secdrv;Secdrv; \??\C:\WINNT\system32\drivers\SECDRV.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2007-05-30 312880]
R2 CwAltaService20;ContentWatch; C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2007-10-17 1223168]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-05-15 79400]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINNT\system32\nvsvc32.exe [2003-04-24 69632]
R2 StiSvc;Still Image Service; C:\WINNT\system32\stisvc.exe [2003-07-03 61712]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2001-10-01 53248]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 138168]
S3 jrutqwywbiyv;jrutqwywbiyv; C:\WINNT\system32\drivers\jrutqwywbiyv.sys [2007-06-08 8576]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\system32\HPZipm12.exe [2004-03-18 65536]

-----------------EOF-----------------

*****RSIT Info.txt*****

info.txt logfile of random's system information tool 2008-09-06 09:28:04

Uninstall list

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02FB2C63-5763-4CDD-99E6-566C57189742}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3881DD58-780F-4FCF-8A16-6E6800C2FEE0}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9225EABF-4457-403B-A82B-91614C9DDDF7}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9EFF51A-C925-4F1A-9DEB-DB5F970DE983}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E9CCEA28-3608-4078-8A07-997646E1A357}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD7FF74D-0AB5-48D6-929C-7E93A5162521}\setup.exe" -l0x9 -removeonly
7-Zip 4.44 beta-->"C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player-->C:\WINNT\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Adobe\SHOCKW~1\Install.log
ArcSoft PhotoImpression 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E629851A-1B1A-4671-961A-A9AF549E03A2}\SETUP.EXE" -l0x9
AutoCAD R14.0-->C:\WINNT\uninst.exe -f"C:\Program Files\AutoCAD R14\DeIsL1.isu"
Autodesk Design Review 2008-->MsiExec.exe /I{FACF203E-0F4D-489A-B80C-D185253C8FCB}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG Anti-Spyware 7.5-->C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Championship Horse Trainer-->MsiExec.exe /I{6DF83074-9AB8-426A-AD1C-049543CA01F6}
Creative Memories Memory Manager 2-->MsiExec.exe /I{0F1A3568-7419-4115-A207-512B9F688267}
DeepBurner v1.7.0.208-->"C:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "C:\Program Files\Astonsoft\DeepBurner\install.log"
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DWG TrueView 2008-->C:\Program Files\DWG TrueView 2008\Setup\Setup.exe /P {B1A9CD45-A702-4E3B-91ED-8CD562869901} /M AOEM
ExtractNow-->"C:\Program Files\ExtractNow\unins000.exe"
First Step Guide-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C797EAF2-707A-4239-BDF3-F2672314A734}\setup.exe" -l0x9 UNINSTALL
Free DWG Viewer 5.4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}\setup.exe" -l0x9 -removeonly
Garmin GPS Control for Internet Explorer-->RunDll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\Program Files\Garmin GPS Control\GarminAxControl.inf
Garmin POI Loader-->MsiExec.exe /X{80A2A967-C1B7-412D-B2B2-C4A33209C205}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GSAK 7.1.2.30 (Final)-->"C:\Program Files\gsak\unins000.exe"
GSAK 7.2.1.40 (Final)-->"C:\Program Files\gsak\unins001.exe"
HijackThis 2.0.2-->"C:\Documents and Settings\Administrator\Desktop\HIJACKTHIS\HijackThis.exe" /uninstall
History Explorer-->C:\WINNT\UNINST.EXE -r"DK Multimedia\History Explorer\1.0" -n"History Explorer" -fC:\PROGRA~1\DKMULT~1\HISTOR~1\DeIsL1.isu -cC:\PROGRA~1\DKMULT~1\HISTOR~1\uninst.dll -oNT
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
ImageMixer VCD2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F8C6BABF-0837-4EA0-AD6C-8E5A392A7538}\setup.exe" -l0x9 UNINSTALL
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
JumpStart Music-->C:\WINNT\IsUninst.exe -fC:\KA\JSMUSIC\DeIsL1.isu
JumpStart Numbers-->C:\WINNT\IsUninst.exe -fC:\KA\JSNUMBER\DeIsL1.isu
JumpStart Reading for First Graders-->C:\WINNT\IsUninst.exe -fC:\KA\JSFR\DeIsL2.isu
Kaspersky Online Scanner-->C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LEGO Creator-->C:\WINNT\IsUninst.exe -f"C:\Program Files\LEGO Media\Constructive\CREATOR\Uninst.isu"
LEGO Island-->C:\PROGRA~1\LEGOIS~1\UNINST.EXE C:\PROGRA~1\LEGOIS~1\INSTALL.LOG
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Math Advantage Pre-Algebra-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD7B678C-489A-479E-A895-6F320DFF8D00}\setup.exe" -uninst
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Age of Empires II-->"C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Internet Explorer 6 SP1-->rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mobile Broadband Drivers-->MsiExec.exe /X{190D0C6E-C8A7-4019-8FB5-FD041EC1F2D2}
Mozilla Firefox (2.0.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
My Amazing Human Body-->C:\WINNT\uninst.exe -r"DK Multimedia\My Amazing Human Body\1.00.0182" -n"My Amazing Human Body" -fC:\PROGRA~1\DKMULT~1\MYAMAZ~1\DeIsL2.isu -cC:\PROGRA~1\DKMULT~1\MYAMAZ~1\uninst.dll
My First Amazing Science Explorer-->C:\WINNT\UNINST.EXE -r"DK Multimedia\My First Amazing Science Explorer\1.0.0018" -n"My First Amazing Science Explorer" -fC:\PROGRA~1\DKMULT~1\MYFIRS~1\DeIsL1.isu -cC:\PROGRA~1\DKMULT~1\MYFIRS~1\uninst.dll -oNT
Nancy Drew: Secrets Can Kill-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Nancy Drew\Secrets Can Kill\Uninst.isu"
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Net Nanny Parental Controls 5.6-->"C:\Program Files\ContentWatch\Internet Protection\ContentProtect\Home\unins000.exe"
Network Play System (Patching)-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NSIS HeadOverHeels (remove only)-->"C:\Program Files\HeadOverHeels\uninstall.exe"
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINNT\system32\nvinstnt.dll,NvUninstallNT4 nvdw.inf
Palm Desktop-->MsiExec.exe /X{E89D78B8-28F7-412F-8B26-C684739CBBDC}
Panda ActiveScan-->C:\WINNT\system32\ASUninst.exe Panda ActiveScan
PDF reDirect (remove only)-->C:\Program Files\PDF reDirect\Uninstall.exe
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
Picture Package-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
Pokémon-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Pokémon\Uninst.isu"
QuickTime-->C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
Reader Rabbit's 2nd Grade-->C:\WINNT\IsUninst.exe -fC:\Tlcwin\Rsg\Uninst\DeIsL1.isu
Re-Mission-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECE153E7-AC17-4468-B21F-07B8D5AF7D36}\SETUP.exe" -l0x9 -removeonly
Rescue Heroes Mission Select-->C:\Program Files\Common Files\Fisher-Price®\Uninstall\RHMissionUn.exe
RISA-2D 7.0 Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8BBB038C-8D9B-42D4-9CC9-85C26F4FF77B}\setup.exe" -l0x9 -removeonly
RISA-3D 7.0 Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A492D5A-17A1-4E2D-86A1-812262D44E28}\setup.exe" -l0x9 -removeonly
Sony Picture Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Structural Engineering Library-->C:\Program Files\Enercalc\uninstx.exe C:\Program Files\Enercalc\EC58INS.log
The Sims 2 University-->C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Maxis\The Sims\Uninst.isu"
The Sims™ 2 Deluxe-->C:\Program Files\EA GAMES\The Sims 2 Deluxe\EAUninstall.exe
VZAccess Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
Windows 2000 Hotfix - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player 7.1-->C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall

Hosts File

127.0.0.1 localhost

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CWALTAHOME"=C:\Program Files\ContentWatch

-----------------EOF-----------------

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 06 September 2008 - 02:07 PM

Hello azwanzig,

I notice that you have Spybot's TeaTimer running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes.
So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {2E54E1BA-5425-4A97-B6D9-E1608853A9BB} - C:\WINNT\system32\urqQkKeE.dll (file missing)
O15 - Trusted Zone: *.amaena.comO15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


Close all browsers and other windows except for HijackThis, and click "Fix checked"

*******************************************

Reboot your computer, post a new Hijackthis log
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 06 September 2008 - 07:02 PM

Hi SifuMike.

Teatimer disabled.
Java updated.
HijackThis entries deleted.

New HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:00 PM, on 9/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HIJACKTHIS\HijackThis2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cwtray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 6822 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 06 September 2008 - 09:34 PM

Hello azwanzig,

We will run ComboFix©.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.

 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.


Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVAST Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


AVAST will cause BSOD unless you disable it like this:
Posted Image

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 September 2008 - 08:06 AM

Hi SifuMike.

When the computer restarted after running combofix, I got a Dial-Up Networking error stating, "Windows cannot access 0.pool.ntp.org. Would you like to connect to a network?" and the options: Settings; Dial; and Close.

Combofix log follows:

ComboFix 08-09-05.02 - Administrator 09/06/2008 21:00:36.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.751 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\WINNT\system32\aixgvdwx.dll
C:\WINNT\system32\EeKkQqru.ini
C:\WINNT\system32\EeKkQqru.ini2
C:\WINNT\system32\hqepgf.dll
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\REGOBJ.DLL
C:\WINNT\system32\rtl60.bpl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSERVICE
-------\Legacy_PERFMONS
-------\Legacy_ROUTING


((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 21:06 . 08-09-06 21:06 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_278.dat
2008-09-06 16:44 . 08-06-10 02:32 73,728 --a------ C:\WINNT\system32\javacpl.cpl
2008-09-06 16:43 . 08-09-06 16:44 <DIR> d-------- C:\Program Files\Java
2008-09-06 16:43 . 08-09-06 16:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-06 09:27 . 08-09-06 09:28 <DIR> d-------- C:\rsit
2008-09-06 09:00 . 08-09-06 09:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-06 08:59 . 08-09-06 09:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 08:59 . 08-09-06 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-06 08:59 . 08-09-02 00:26 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-06 08:59 . 08-09-02 00:25 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-26 19:38 . 08-09-02 06:22 253 --a------ C:\WINNT\wininit.ini
2008-08-26 12:50 . 08-08-26 12:54 <DIR> d-a------ C:\WINNT\system32\eMaxt19
2008-08-26 12:50 . 08-08-26 12:50 <DIR> d-------- C:\Temp\bbc2
2008-08-26 12:50 . 08-08-26 12:53 417 --a------ C:\WINNT\VRM_Free.exe.ini
2008-08-24 20:37 . 08-08-24 20:37 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-24 20:37 . 08-08-24 20:37 1,409 --a------ C:\WINNT\QTFont.for
2008-08-24 20:37 . 08-08-24 20:51 119 --a------ C:\WINNT\mathadv.ini
2008-08-24 20:36 . 08-08-24 20:51 <DIR> d-------- C:\Mathadv
2008-08-24 20:36 . 08-08-24 20:50 28 --a------ C:\WINNT\encore_launcher.ini
2008-08-23 08:50 . 08-08-23 08:50 <DIR> d-------- C:\Tlcwin
2008-08-23 08:50 . 08-08-23 08:50 294 --a------ C:\WINNT\EReg077.dat
2008-08-23 08:50 . 08-08-23 08:50 109 --a------ C:\WINNT\TLCAPPS.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 01:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-02 04:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-25 03:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 07:07 --------- d-----w C:\Program Files\Lavasoft
2008-08-03 07:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 04:22 --------- d-----w C:\Program Files\EA GAMES
2008-07-31 22:54 --------- d-----w C:\Program Files\eGames
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-09 03:30 --------- d-----w C:\Program Files\DK Multimedia
2007-04-10 23:50 271 ---h--w C:\Program Files\desktop.ini
2007-04-10 23:50 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04-05-12 15:18 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [04-02-12 13:38 49152]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [03-04-24 16:58 4616192]
"USB2Check"="C:\WINNT\system32\PCLECoInst.dll" [05-12-21 11:14 73728]
"cwtray"="C:\Program Files\ContentWatch\Internet Protection\cwtray.exe" [07-10-17 10:42 403456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-07-03 08:41 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-03 08:37 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-06-03 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-07-19 07:35 78416]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 08:34 93264]
R2 CwAltaService20;ContentWatch;C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [07-10-17 10:42 1223168]
R3 NWADI;NWADI Bus Enumerator;C:\WINNT\system32\DRIVERS\NWADIenum.sys [07-04-19 12:09 194048]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 05:05 49776]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0mcjnmt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 21:07:54
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\TEMP\_avast4_\unp230231585.tmp 52736 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\WINNT\system32\wxbase28u_vc_CW.dll
.
Completion time: 2008-09-06 21:20:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 04:20:33

Pre-Run: 39,441,043,456 bytes free
Post-Run: 39,414,861,824 bytes free

118

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 07 September 2008 - 10:01 AM

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


Let me check to see how we do that with Windows 2000.

Edited by SifuMike, 07 September 2008 - 10:10 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 07 September 2008 - 10:59 AM

When the computer restarted after running combofix, I got a Dial-Up Networking error stating, "Windows cannot access 0.pool.ntp.org. Would you like to connect to a network?" and the options: Settings; Dial; and Close.


This message can safely be ignored.



Please install Recovery Console on your Windows 2000.

How to install the Recovery Console on Windows 2000
http://www.cybertechhelp.com/tutorial/arti...ecovery-console



This is the procedure for Windows 2000:
To install the Recovery Console, perform the following steps:

1. Insert the Windows 2000 CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type
d:\i386\winnt32.exe /cmdcons
where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears, which describes the Recovery Console option.
5. The system prompts you to confirm installation. Click Yes to start the installation procedure.
6. Restart the computer. The next time you start your computer, you will see a "Microsoft Windows Recovery Console" entry on the boot menu.

If you do not have your Windows 2000 boot-CD at hand right now, you can skip this procedure for now, as it's possible to boot to the Recpvery Console using the boot-CD at any given time.



Then run ComboFix and post a fresh ComboFix log.

Edited by SifuMike, 07 September 2008 - 02:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 September 2008 - 03:39 PM

I do have my windows 2000 cd, but the recovery console installation failed with the message, "No valid system partitions were found. Setup is unable to continue."

New combofix log follows:

ComboFix 08-09-05.02 - Administrator 09/07/2008 12:57:18.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.725 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip

.
((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 12:40 . 08-09-07 12:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_390.dat
2008-09-07 06:29 . 08-09-07 06:29 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_26c.dat
2008-09-06 16:44 . 08-06-10 02:32 73,728 --a------ C:\WINNT\system32\javacpl.cpl
2008-09-06 16:43 . 08-09-06 16:44 <DIR> d-------- C:\Program Files\Java
2008-09-06 16:43 . 08-09-06 16:43 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-06 09:27 . 08-09-06 09:28 <DIR> d-------- C:\rsit
2008-09-06 09:00 . 08-09-06 09:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-06 08:59 . 08-09-06 09:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 08:59 . 08-09-06 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-06 08:59 . 08-09-02 00:26 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-06 08:59 . 08-09-02 00:25 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-26 19:38 . 08-09-02 06:22 253 --a------ C:\WINNT\wininit.ini
2008-08-26 12:50 . 08-08-26 12:54 <DIR> d-a------ C:\WINNT\system32\eMaxt19
2008-08-26 12:50 . 08-08-26 12:50 <DIR> d-------- C:\Temp\bbc2
2008-08-26 12:50 . 08-08-26 12:53 417 --a------ C:\WINNT\VRM_Free.exe.ini
2008-08-24 20:37 . 08-08-24 20:37 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-08-24 20:37 . 08-08-24 20:37 1,409 --a------ C:\WINNT\QTFont.for
2008-08-24 20:37 . 08-08-24 20:51 119 --a------ C:\WINNT\mathadv.ini
2008-08-24 20:36 . 08-08-24 20:51 <DIR> d-------- C:\Mathadv
2008-08-24 20:36 . 08-08-24 20:50 28 --a------ C:\WINNT\encore_launcher.ini
2008-08-23 08:50 . 08-08-23 08:50 <DIR> d-------- C:\Tlcwin
2008-08-23 08:50 . 08-08-23 08:50 294 --a------ C:\WINNT\EReg077.dat
2008-08-23 08:50 . 08-08-23 08:50 109 --a------ C:\WINNT\TLCAPPS.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 01:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-02 04:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-25 03:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 07:07 --------- d-----w C:\Program Files\Lavasoft
2008-08-03 07:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 04:22 --------- d-----w C:\Program Files\EA GAMES
2008-07-31 22:54 --------- d-----w C:\Program Files\eGames
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-09 03:30 --------- d-----w C:\Program Files\DK Multimedia
2007-04-10 23:50 271 ---h--w C:\Program Files\desktop.ini
2007-04-10 23:50 21,952 ---h--w C:\Program Files\folder.htt
2003-07-03 15:36 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04-05-12 15:18 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [04-02-12 13:38 49152]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [03-04-24 16:58 4616192]
"USB2Check"="C:\WINNT\system32\PCLECoInst.dll" [05-12-21 11:14 73728]
"cwtray"="C:\Program Files\ContentWatch\Internet Protection\cwtray.exe" [07-10-17 10:42 403456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-07-03 08:41 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-03 08:37 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-06-03 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-07-19 07:35 78416]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 08:34 93264]
R2 CwAltaService20;ContentWatch;C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [07-10-17 10:42 1223168]
R3 NWADI;NWADI Bus Enumerator;C:\WINNT\system32\DRIVERS\NWADIenum.sys [07-04-19 12:09 194048]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 05:05 49776]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0mcjnmt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 13:00:51
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\TEMP\_avast4_\unp136351649.tmp 52736 bytes executable
C:\WINNT\system32\Perflib_Perfdata_6e8.dat 16384 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\WINNT\system32\wxbase28u_vc_CW.dll
.
Completion time: 2008-09-07 13:04:54
ComboFix-quarantined-files.txt 2008-09-07 20:03:52
ComboFix2.txt 2008-09-07 04:20:40

Pre-Run: 39,422,304,256 bytes free
Post-Run: 39,414,751,232 bytes free

109

#11 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 September 2008 - 04:17 PM

By the way, I can't figure out how to get the Avast resident scanner to start back up. After disabling it, it hasn't started again. The Avast help file indicates that it should start of its own accord on windows startup, but it doesn't. I can't find a setting within Avast settings and configurations which would turn it back on. Do you know what I should do?

Thanks

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 07 September 2008 - 05:48 PM

You will need to see hidden files, so follow these directions:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINNT\VRM_Free.exe.ini

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

I can't figure out how to get the Avast resident scanner to start back up. After disabling it, it hasn't started again. The Avast help file indicates that it should start of its own accord on windows startup, but it doesn't. I can't find a setting within Avast settings and configurations which would turn it back on.



See my previous thread for the procedure to disable Avast, then reverse it.
Make sure you uncheck the "disable self defense module"

If tha does not work, then uninstall Avast, then reinstall it.

Edited by SifuMike, 07 September 2008 - 05:49 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 September 2008 - 07:25 PM

Hi SifuMike.

Virustotal scan results:

File VRM_Free.exe.ini received on 09.08.2008 01:38:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.07 -
AntiVir 7.8.1.28 2008.09.07 -
Authentium 5.1.0.4 2008.09.07 -
Avast 4.8.1195.0 2008.09.07 -
AVG 8.0.0.161 2008.09.07 -
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.07 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.07 -
F-Secure 8.0.14332.0 2008.09.07 -
Fortinet 3.112.0.0 2008.09.07 -
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.07 -
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.08 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 -
NOD32v2 3424 2008.09.07 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.07 -
Prevx1 V2 2008.09.08 -
Rising 20.60.62.00 2008.09.07 -
Sophos 4.33.0 2008.09.07 -
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.07 -
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.07 -
Webwasher-Gateway 6.6.2 2008.09.07 -
Additional information
File size: 417 bytes
MD5...: 79aee88c758fbc086c76b03b1ddd15be
SHA1..: a2f3ba9bb34c2818b344f0dfd8065d6640c36177
SHA256: bb549e29fab0515e915f80e4fc2fe4665c46104a62ea6d436b39b566b81a35ab
SHA512: 96b4f59b994876998e4c05629fa2039fefd9e86e9f15f041cc20c66174d4f7b6
978ef071ff33878cc40c989b9f7023267a74fbb60fadf9d1acd7f3bf2c99d228
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

************************************************************************************************************

It appears as if this file is a text document.
Following is a copy of the contents of that file:

[segments]
total=0
count=0
start_0=0
bytes_0=165776
avail_0=165776
start_1=165776
bytes_1=165776
avail_1=165776
start_2=331552
bytes_2=165776
avail_2=165776
start_3=497328
bytes_3=165776
avail_3=165776
start_4=663104
bytes_4=165776
avail_4=165776
[DATA]
cmd=/norestart /verysilent
url=http://download.virusremover2008.com/VRM_Free.exe
segments=0500000005
downloaded=0000000000
size=0000000000

Edited by azwanzig, 07 September 2008 - 07:31 PM.


#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:59 PM

Posted 07 September 2008 - 08:15 PM

Hi azwanzig,

That file looks good. :thumbsup:

Please post a fresh Hijackthis log and tell me how the computer is running.

Edited by SifuMike, 07 September 2008 - 08:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 azwanzig

azwanzig
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 07 September 2008 - 11:37 PM

Hi SifuMike.

Although the pop-ups and redirects have stopped, when I am not online I keep getting Dial-Up Networking alerts stating that, "Windows cannot access 0.pool.ntp.org. Would you like to connect to a network." The site address which Windows cannot access changes from alert to alert. Sometimes it is www.google.com, other times it is sites I don't recognize. This began after running combofix the first time this morning.

A new hijackthis report follows.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:34 PM, on 9/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\rasautou.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HIJACKTHIS\HijackThis2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60295
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cwtray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204509422796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{993B5030-D9E0-436A-B72A-28D3B44AC73F}: NameServer = 66.174.92.14 66.174.95.44
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 7109 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users