Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Centre Not Enabled, Windows Very Slow In Startup--hijack Log


  • Please log in to reply
18 replies to this topic

#1 lifesuckedme

lifesuckedme

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 17 September 2008 - 03:40 AM

i had problem with windows update and inability to browse Microsoft sites..
but after the help of Microsoft forums ..i downloaded some antimalware(MBAM) and multiviral software..after that i was able to solve all these problems except security center and slow start up.
hijack log was advised by Microsoft forums and i am presenting to you..please help me....i am trying to enable my security center since 1 month ago.
i had Norton that i recently removed because i thought my start up is very slow due to this anti virus only.


log file...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:19 PM, on 9/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\AOL\uninstaller.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\cmd.exe
c:\AV-CLS\Trend\SYSCLEAN.COM
C:\WINDOWS\System32\WgaTray.exe
c:\AV-CLS\Trend\sysclean.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\AV-CLS\Trend\SSCAN32.BIN

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: (no name) - {543837F3-9138-46BA-AB50-9694C1B8BA9E} - C:\WINDOWS\System32\xxyywuTm.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1122770921\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217966420656
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\armhelper.ocx
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 7710 bytes




in the mean time i would like to post log file from anti malware...
Malwarebytes' Anti-Malware 1.28
Database version: 1151
Windows 5.1.2600

9/14/2008 6:26:09 PM
mbam-log-2008-09-14 (18-26-09).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|H:\|I:\|)
Objects scanned: 157444
Time elapsed: 3 hour(s), 59 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


PLEASE HELP ME>>>>>............................. :thumbsup:

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 17 September 2008 - 05:09 AM

Hi,

i had problem with windows update and inability to browse Microsoft sites..



This is obviously a very neglected computer that has no updates showing in your log and we need to understand why if we are to advise you at all.

Do you know if it a legitimate or pirated version of Windows Xp?

Did you buy the computer new or second hand?

I'm not sure if Service pack 1 is still available but I understand it is required before installing Service pack 2 and 3.
I'll check this out and let you know.

Please include the Computer's speck when you post back.

Also post the following:

Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 17 September 2008 - 10:21 AM

thanx a lot joe..for your great concern about me..
yes you are right this is old computer with everything in old version..
frankly speaking, i was not able to enable automatic update till i ran MBAM( antimalware setup). now i started gettin updates..but i am not able to enable security center..yesterday only i did online scan..no any malware didected..
yes this is windowsXP SP1.. but i am not able to update to sp2..
now according to your suggestion i am going to post uninstall.txt


Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe Shockwave Player 11
ANIO Service
ANIWZCS2 Service
BitComet 1.04
ccCommon
Dictionary.com Toolbar
HijackThis 2.0.2
HP Memories Disc
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
Internet Explorer Q832894
Internet Worm Protection
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 7
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft XML Parser and SDK
Mozilla Firefox (3.0.1)
MpcStar 3.1
Outlook Express Q823353
Quick StartUp 2.3
QuickTime
RealPlayer Basic
Remove-it
Revo Uninstaller 1.71
RTC Client API v1.2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
SPBBC
Super Utilities Pro 2008 (8.0.1975 version)
UMVPLStandalone
VCRedistSetup
Viewpoint Media Player
Watson
Winamp (remove only)
Windows Installer 3.0 (KB884016)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
WLAN Monitor
Yahoo! Messenger


i have tried so many setup to make my computer fast..yes of course it is fast now but my starting time is very log...WINDOWS IS STARTING appears for LONG LONG time.....
also security center is still disabled....i have rebooted with service.exe so many so many time...
THANX IN ADVANCE

#4 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 17 September 2008 - 11:56 AM

OK thanks for that information which is helpful, I'd appreciate your response to my other questions as well. Its important as it may effect your ability to clean up the computer and to update it.

yes this is windowsXP SP1.. but i am not able to update to sp2..

No it isn't even SP1 and I ask these questions to determine why you can't update the system. Its a process of elamanation.

How old is the computer and what is the speck?
Is your copy of the operating system legitimate?

First go to the add/remove utility in the control panel and uninstall the following:

BitComet 1.04 <--This is allegedly adware
Viewpoint Media Player <--This is allegedly foistware.


Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: (no name) - {543837F3-9138-46BA-AB50-9694C1B8BA9E} - C:\WINDOWS\System32\xxyywuTm.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)

The next lines marked blue are restrictions. If you didn't set them yourself or have them set by a software program such as Spybot Search and Destroy then click the check-box on the left. If you intentionally set the restrictions, then leave them alone.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the Computer.

i had Norton that i recently removed because i thought my start up is very slow due to this anti virus only.

There are still entries in your log relating to Norton /Symantec and they will have to be removed as well.

Please download and run the appropriate anti-virus Norton Removal Tool and Instructions to see if that removes them.

Deckard’s System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Post the following:
  • A new Hijackthis log
  • Another Uninstall List.
  • The Deckyard report.

This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

Edited by Joe - London, 17 September 2008 - 11:58 AM.
spellingerror

If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#5 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 17 September 2008 - 08:30 PM

thanx JOE for your concern..
1.A new Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:51 PM, on 9/17/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mmc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.reference.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Dictionary.com BHO - {14998b0b-2671-4adb-a005-dde2fb18eb35} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {bf2aa568-0085-423c-ba01-69b6705a9a96} - mscoree.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1220945662-1580436667-854245398-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - Global Startup: StartupFaster
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217966420656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221691209770
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\armhelper.ocx
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 5079 bytes

2. New uninstall list

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe Shockwave Player 11
ANIO Service
ANIWZCS2 Service
Dictionary.com Toolbar
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Memories Disc
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
J2SE Runtime Environment 5.0 Update 7
Java™ 6 Update 7
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft XML Parser and SDK
Mozilla Firefox (3.0.1)
MpcStar 3.1
Outlook Express Q823353
Quick StartUp 2.3
QuickTime
RealPlayer Basic
Remove-it
Revo Uninstaller 1.71
RTC Client API v1.2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Super Utilities Pro 2008 (8.0.1975 version)
UMVPLStandalone
VCRedistSetup
Watson
Winamp (remove only)
Windows Installer 3.0 (KB884016)
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
WLAN Monitor
Yahoo! Messenger

3. The Deckyard report.
UNABLE to install.... i tried multiple times with closing all windows applications..





my windows XP is old one..yes it is second hand..
i am having windows XP CD with registered key..
i tried to make it SP1 but not able to do that..update is not good enough to support to make SP1 and 2 and 3...etc...

Running winver shows....

Microsft windows
Version5.1 {Build 2600.XPSP1.020828-1920}
copyright 1981-2001 Microsoft Corporation

waiting for your reply....

#6 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 18 September 2008 - 04:12 AM

i am having windows XP CD with registered key..

The question is, is this legitimate or a pirated version? If you bought it second hand it may be the latter in which case you will not be able to install the updates.
See if we can clear this up:
Download the MGADiag validation tool from Mictosoft. Run it to validate your operating system and post the results here please.

As to the Computer Speck:

Do you know the make of the computer and the CPU type and make?

Open Hijackthis, take another scan and place a checkmark next to these entries.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.reference.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Dictionary.com BHO - {14998b0b-2671-4adb-a005-dde2fb18eb35} - mscoree.dll (file missing)
O3 - Toolbar: Dictionary.com - {bf2aa568-0085-423c-ba01-69b6705a9a96} - mscoree.dll (file missing)


The next line is a restriction. If you didn't set it yourself or have it set by a software program such as Spybot Search and Destroy then click the check-box on the left. If you intentionally set the restriction, then leave it alone.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all open Windows except Hijackthis and click on "fix Checked".

Do you know about these entries? Did you install this? If the answer is no to both questions fix them as well.
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster

Then reboot the computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#7 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 18 September 2008 - 12:03 PM

thanx for your keen interest in me..
my interest is also increasing....
1} now my new hijack log 3...after fixing yahoo toobar and dictionary...


6Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:27 AM, on 9/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\SoftwareDistribution\Download\f9caa54645105c608ede060e87d38098\update\update.exe

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1220945662-1580436667-854245398-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217966420656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221691209770
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\armhelper.ocx
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 4706 bytes

2} combofix log

ComboFix 08-09-16.05 - drmbhn 2008-09-18 11:10:02.1 - NTFSx86

Running from: C:\Documents and Settings\drmbhn\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Adobe\crc.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mTuwyyxx.ini
C:\WINDOWS\system32\mTuwyyxx.ini2
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll

----- BITS: Possible infected sites -----

http://pornotube8.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-18 10:42 . 2008-09-18 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-17 23:04 . 2008-09-17 23:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-17 19:48 . 2002-08-29 04:41 599,040 --a------ C:\WINDOWS\system32\WININET.DLL
2008-09-17 19:23 . 2008-09-17 19:23 <DIR> d-------- C:\AdventNet
2008-09-17 18:36 . 2008-09-17 19:51 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-09-17 17:52 . 2008-09-17 17:52 268 --ah----- C:\sqmdata01.sqm
2008-09-17 17:52 . 2008-09-17 17:52 244 --ah----- C:\sqmnoopt01.sqm
2008-09-17 17:50 . 2008-09-17 18:36 5,279 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-09-17 16:59 . 2008-09-17 16:59 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-17 16:49 . 2008-09-17 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-17 12:10 . 2008-09-17 12:10 244 --ah----- C:\sqmnoopt00.sqm
2008-09-17 12:10 . 2008-09-17 12:10 232 --ah----- C:\sqmdata00.sqm
2008-09-16 15:22 . 2008-09-16 15:22 <DIR> d-------- C:\Documents and Settings\drmbhn\Application Data\TigerPlayer
2008-09-16 08:42 . 2008-09-16 08:42 <DIR> d-------- C:\Program Files\Remove-it mb
2008-09-16 07:55 . 2008-09-16 07:55 <DIR> d-------- C:\Documents and Settings\Guest
2008-09-16 00:22 . 2008-09-16 00:22 <DIR> d---s---- C:\Documents and Settings\drmbhn\UserData
2008-09-16 00:10 . 2008-09-17 19:36 <DIR> d-------- C:\Documents and Settings\drmbhn
2008-09-14 12:19 . 2008-09-17 01:31 <DIR> d-------- C:\e2d79d1aefd1d077444b47
2008-09-12 23:21 . 2006-11-21 20:24 1,488,688 --a------ C:\Documents and Settings\Administrator\LegitCheckControl.dll
2008-09-12 23:21 . 2007-12-30 12:17 2,483 --a------ C:\Documents and Settings\Administrator\installer.bat
2008-09-12 17:08 . 2008-09-12 17:08 <DIR> d-------- C:\Program Files\Dictionary.com
2008-09-12 17:08 . 2008-09-12 17:08 128 --a------ C:\WINDOWS\system32\dictionary_bho.reg
2008-09-12 00:29 . 2008-09-12 00:29 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-11 11:46 . 2008-09-11 11:46 <DIR> d-------- C:\Program Files\My Downloaded Games
2008-09-11 11:45 . 2005-03-11 18:06 102,400 --a------ C:\WINDOWS\system32\PandoraCtrl.dll
2008-09-11 00:02 . 2003-01-10 16:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-09-10 19:51 . 2008-09-10 19:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-10 10:19 . 2004-03-29 20:25 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2008-09-10 10:19 . 2004-03-29 20:25 593,408 --a--c--- C:\WINDOWS\system32\dllcache\h323msp.dll
2008-09-10 10:19 . 2004-03-29 20:25 364,544 --a--c--- C:\WINDOWS\system32\dllcache\callcont.dll
2008-09-10 10:19 . 2004-03-29 20:25 253,952 --a--c--- C:\WINDOWS\system32\dllcache\mst120.dll
2008-09-10 10:19 . 2004-03-29 20:25 253,440 --a------ C:\WINDOWS\system32\h323.tsp
2008-09-10 10:19 . 2004-03-29 20:25 253,440 --a--c--- C:\WINDOWS\system32\dllcache\h323.tsp
2008-09-10 10:19 . 2004-03-29 20:25 73,728 --a--c--- C:\WINDOWS\system32\dllcache\nmcom.dll
2008-09-10 10:19 . 2004-03-29 20:25 40,960 --a--c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2008-09-10 10:10 . 2003-10-21 17:42 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2008-09-10 10:10 . 2003-10-21 17:42 32,256 --a--c--- C:\WINDOWS\system32\dllcache\msgsvc.dll
2008-09-10 01:45 . 2005-07-30 19:30 2,577 --a------ C:\WINDOWS\system32\config.bak
2008-09-10 01:45 . 2005-07-30 19:30 2,577 --a------ C:\WINDOWS\config.nt
2008-09-10 01:45 . 2008-04-09 19:46 1,789 --a------ C:\WINDOWS\system32\autoexec.bak
2008-09-10 01:45 . 2008-04-09 19:46 1,789 --a------ C:\WINDOWS\autoexec.nt
2008-09-10 01:44 . 2008-09-11 14:35 <DIR> d-------- C:\AV-CLS
2008-09-10 01:26 . 2008-09-15 19:41 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-09-10 01:25 . 2008-09-10 01:25 123,392 --a------ C:\WINDOWS\system32\itss.dll
2008-09-10 01:25 . 2008-09-10 01:25 123,392 --a--c--- C:\WINDOWS\system32\dllcache\itss.dll
2008-09-10 00:12 . 2004-07-01 17:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-09-10 00:12 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-10 00:12 . 2004-07-01 17:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-09-10 00:12 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-10 00:12 . 2004-07-01 17:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-09-10 00:12 . 2004-07-01 17:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-09-10 00:12 . 2004-07-01 17:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-09-09 18:12 . 2008-09-10 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 18:12 . 2008-09-09 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-09 18:12 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 18:12 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 17:44 . 2008-09-09 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-09-09 00:09 . 2008-09-09 00:09 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-09-08 21:27 . 2008-09-08 21:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-08 19:03 . 2008-09-10 14:38 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-08 15:05 . 2008-09-08 15:05 216 --a------ C:\WINDOWS\system32\xmltwo.zip
2008-09-08 11:09 . 2002-07-26 17:02 153,088 --a------ C:\WINDOWS\system32\UNWISE.EXE
2008-09-08 10:39 . 2008-09-08 10:39 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2008-09-07 02:25 . 2008-09-07 02:25 <DIR> d-------- C:\Program Files\Quick StartUp
2008-09-06 22:47 . 2008-09-06 22:47 <DIR> d-------- C:\Program Files\VS Revo Group
2008-09-06 17:58 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-06 01:27 . 2008-09-08 10:30 345 --ahs---- C:\WINDOWS\system32\vFhNnUvw.ini
2008-09-05 11:48 . 2008-09-05 11:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Seven Zip
2008-09-05 11:02 . 2008-09-05 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Softdisk LLC
2008-09-05 10:52 . 1996-11-05 16:19 247,648 --a------ C:\WINDOWS\UNINST16.EXE
2008-09-05 10:52 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-09-05 10:51 . 2008-09-05 10:51 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-03 19:50 . 2001-08-23 07:00 150,016 --a------ C:\WINDOWS\system32\dllcache\winzm.ime
2008-09-03 19:50 . 2001-08-23 07:00 150,016 --a------ C:\WINDOWS\system32\dllcache\winsp.ime
2008-09-03 19:50 . 2001-08-23 07:00 150,016 --a------ C:\WINDOWS\system32\dllcache\winpy.ime
2008-09-03 19:50 . 2002-08-29 02:12 74,752 --a------ C:\WINDOWS\system32\dllcache\winar30.ime
2008-09-03 19:50 . 2001-08-23 07:00 69,120 --a------ C:\WINDOWS\system32\dllcache\wingb.ime
2008-09-03 19:50 . 2002-08-29 02:12 61,952 --a------ C:\WINDOWS\system32\dllcache\winime.ime
2008-09-03 19:49 . 2002-08-29 02:12 61,440 --a------ C:\WINDOWS\system32\dllcache\unicdime.ime
2008-09-03 19:48 . 2002-08-28 22:39 574,464 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-09-03 19:44 . 2002-08-29 02:12 73,728 --a------ C:\WINDOWS\system32\dllcache\quick.ime
2008-09-03 19:44 . 2002-08-29 02:12 24,576 --a------ C:\WINDOWS\system32\dllcache\romanime.ime
2008-09-03 19:43 . 2002-08-28 22:39 479,744 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-09-03 19:43 . 2002-08-29 02:12 75,264 --a------ C:\WINDOWS\system32\dllcache\phon.ime
2008-09-03 19:36 . 2002-06-12 20:14 340,013 --a------ C:\WINDOWS\system32\dllcache\imjp81.ime
2008-09-03 19:36 . 2002-08-29 02:12 89,088 --a------ C:\WINDOWS\system32\dllcache\imekr61.ime
2008-09-03 19:29 . 2002-08-29 02:12 74,752 --a------ C:\WINDOWS\system32\dllcache\dayi.ime
2008-09-03 19:28 . 2002-08-29 02:12 74,240 --a------ C:\WINDOWS\system32\dllcache\chajei.ime
2008-09-03 19:28 . 2002-08-28 22:39 21,504 --a------ C:\WINDOWS\system32\dllcache\cintlgnt.ime
2008-09-03 18:58 . 2002-08-29 04:40 339,456 --a--c--- C:\WINDOWS\system32\dllcache\OLDE7F.tmp
2008-09-03 18:58 . 2001-08-17 22:36 312,832 --a--c--- C:\WINDOWS\system32\dllcache\OLDE6F.tmp
2008-09-03 18:58 . 2001-08-17 12:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\OLDE83.tmp
2008-09-03 18:58 . 2001-08-17 13:57 77,568 --a--c--- C:\WINDOWS\system32\dllcache\OLDE91.tmp
2008-09-03 18:58 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\OLDE38.tmp
2008-09-03 18:58 . 2001-08-17 22:36 45,056 --a--c--- C:\WINDOWS\system32\dllcache\OLDE6A.tmp
2008-09-03 18:58 . 2001-08-23 07:00 29,184 --a--c--- C:\WINDOWS\system32\dllcache\OLDE89.tmp
2008-09-03 18:58 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\OLDE34.tmp
2008-09-03 18:58 . 2001-08-23 07:00 10,240 --a--c--- C:\WINDOWS\system32\dllcache\OLDE86.tmp
2008-09-03 15:23 . 2008-09-04 11:54 <DIR> d-------- C:\Program Files\Maxthon
2008-09-03 14:25 . 2008-09-03 14:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-09-03 14:22 . 2008-09-03 14:22 <DIR> d-------- C:\Program Files\Grisoft avg
2008-09-03 00:48 . 2008-09-04 11:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla(2)
2008-09-01 02:19 . 2008-09-01 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 13:59 . 2008-09-09 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bopavqjk
2008-08-31 13:58 . 2008-08-31 13:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\URSoft
2008-08-29 22:45 . 2003-05-30 09:00 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2008-08-29 17:07 . 2008-08-29 17:07 42 --a------ C:\WINDOWS\system32\AK083E209605E394C.lie
2008-08-29 17:06 . 2008-08-29 17:39 <DIR> d-------- C:\Program Files\Perfect Uninstaller
2008-08-29 15:30 . 2008-09-15 19:41 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-29 14:59 . 2008-08-29 15:12 <DIR> d-------- C:\NFSMWDemo
2008-08-28 22:43 . 2008-09-10 11:05 1,029,664 --a------ C:\WINDOWS\setupapi.log.1.old
2008-08-27 15:07 . 2008-09-06 17:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-27 15:07 . 2008-08-27 15:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-26 00:20 . 2008-08-28 14:59 <DIR> d-------- C:\Program Files\Common Files\Audio
2008-08-25 22:10 . 2008-09-05 12:03 345 --ahs---- C:\WINDOWS\system32\nTwxIRqr.ini
2008-08-25 17:27 . 2008-09-04 16:29 278 --a------ C:\WINDOWS\videomodes.xml
2008-08-25 15:03 . 2008-09-06 18:45 80 --a------ C:\WINDOWS\SuperUtil.ini
2008-08-25 14:53 . 2008-08-25 14:53 0 --a------ C:\WINDOWS\system32\suupdate.dat
2008-08-25 14:52 . 2008-08-25 14:52 <DIR> d-------- C:\Program Files\SuperLogix
2008-08-25 13:11 . 2008-08-25 13:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-08-25 02:26 . 2008-09-17 19:36 <DIR> d-------- C:\Program Files\Google
2008-08-25 00:28 . 2008-08-28 09:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-08-24 23:40 . 2008-09-10 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 20:52 . 2008-08-24 20:52 <DIR> d-------- C:\WINDOWS\LogFiles
2008-08-24 01:11 . 2008-08-24 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 01:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 21:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-16 20:23 --------- d-----w C:\Program Files\BitComet
2008-09-16 04:43 --------- d-----w C:\Program Files\Pure Networks
2008-09-13 04:24 --------- d-----w C:\Program Files\Yahoo!
2008-09-12 05:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-12 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-11 02:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-09-09 18:18 --------- d-----w C:\Program Files\MSN Messenger
2008-09-08 20:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-03 18:45 --------- d-----w C:\Program Files\Replay Converter
2008-08-29 14:09 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-08-29 14:09 --------- d-----w C:\Program Files\Common Files\Real
2008-08-24 06:12 --------- d-----w C:\Program Files\QuickTime
2008-08-21 00:58 --------- d-----w C:\Program Files\Helicopter Strike Force
2008-08-21 00:11 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-08-20 23:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-08-19 03:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-18 03:51 --------- d-----w C:\Program Files\ScenicReflections
2008-08-18 03:18 86,513 ----a-w C:\WINDOWS\WinVerCheck.exe
2008-08-16 23:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-08-15 14:19 --------- d-----w C:\Program Files\Java
2008-08-14 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-14 00:17 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-13 15:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 15:28 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 15:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-13 14:42 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-08-12 21:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ArcSoft
2008-08-12 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-08-08 22:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-08-08 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-08-08 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\TheRace_dev
2008-08-08 03:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iWinArcade
2008-08-08 03:30 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-08-08 01:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SpinTop Games
2008-08-08 01:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SpinTop
2008-08-06 19:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TigerPlayer
2008-08-06 14:34 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-06 14:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-05 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-05 20:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-08-05 19:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\RegFixPro
2008-08-05 19:00 --------- d-----w C:\Program Files\Real
2008-08-05 08:02 --------- d-----w C:\Program Files\ANI
2008-08-05 08:01 --------- d-----w C:\Program Files\Airlink101
2008-08-05 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\SweetIM
2008-08-05 05:39 --------- d-----w C:\Program Files\Common Files\Logitech
2008-08-05 05:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-04 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-02 06:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MySpace
2008-08-01 22:30 --------- d-----w C:\Program Files\Winamp
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution mukul renamed it\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-17 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MPEG"= JPEGCODE.DLL
"vidc.tscc"= C:\PROGRA~1\MPCSTA~1\Codecs\tscc\tsccvid.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares destiny

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Airlink101 WLAN Monitor]
--a------ 2006-10-12 19:38 958464 C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2006-06-29 17:34 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
--a------ 2008-07-17 08:50 2599224 C:\Program Files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kek]
--a------ 2008-08-14 15:06 41764 c:\WINDOWS\system32\kek.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-06-26 10:33 243248 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mpt]
--a------ 2008-08-05 23:52 58629 c:\WINDOWS\system32\mpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-08-29 09:07 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Utilities]
--a------ 2008-02-25 18:33 2252800 C:\Program Files\SuperLogix\Super Utilities mb\SuperUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-12 19:50 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Audio for Windows"=sdfhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\AV-CLS\\WGET.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11377:TCP"= 11377:TCP:BitComet 11377 TCP
"11377:UDP"= 11377:UDP:BitComet 11377 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1122770921\ee\AOLSoftware.exe
MSConfigStartUp-IPHSend - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-Pure Networks Port Magic - C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-Audio for Windows - sdfhost.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\drmbhn\Application Data\Mozilla\Firefox\Profiles\zekbgl83.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://dictionary.reference.com
FF -: plugin - C:\Program Files\MpcStar mb\Codecs\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\MpcStar mb\Codecs\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 11:29:07
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-09-18 11:34:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-18 16:34:18

Pre-Run: 9,321,771,008 bytes free
Post-Run: 14,039,306,240 bytes free

306 --- E O F --- 2008-09-18 16:02:57

3} result of the MGADiag validation tool from Mictosoft

Validation status: Invalid product key
Validation code: 8
online validation code: N/A
Product key: *****-*****-GQVVC-MKQYP-HP7YE
Product key hash;
Product ID 5527-------------------
Windws OS version: 5.1.2600.2.00010100.0.0pro


i can send you if you need more for me.
i cannot copy that..and i am very slow i ntyping..so ican send you again ..


waiting for your reply..

#8 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 18 September 2008 - 01:17 PM

The Hijackthis log is good now and the Combofix found some undesirable stuff as well.
The computer should be running better than it was before.

Unfortunately the validation test came up negative:

Validation status: Invalid product key

Assuming that is correct you will not therefore be able to update this system and consequently pointless continuing to work on this Computer.

If you let me have the Computer specification as requested earlier I can advise you on how to proceed.

Joe
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#9 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 18 September 2008 - 04:47 PM

it is very sad to know that i am using invalid product..
but i wanna know why my security centre is disabled>? can't i make it enable?
please help me in ths regard..
thanx and waitng for your reply..

#10 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 18 September 2008 - 06:07 PM

it is very sad to know that i am using invalid product..

It also infringes copyright law and therefore illegal.

but i wanna know why my security centre is disabled>? can't i make it enable?
please help me in ths regard..

I have helped you as best I can to clean the computer and determine why you can't update the system, to advise you further I need you to provide the information I requested, namely the computers specification.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#11 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 21 September 2008 - 05:58 AM

If you believe you have a legal copy of Windows XP, but the Computer Still Fails The Validation test please go to this site for further help and carefully follow the instructions:
http://www.microsoft.com/genuine/diag/

Then post back and let us know how you got on and include the computers Specification as requested earlier.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#12 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 28 September 2008 - 12:19 PM

hi friends..
since 3 days i am infected with viruses like rootkit and similar others
trojan fake alret..
i scanned a lot of times with MBAM, i removed 15 to 20 infections in each
time..again i got the similar infections ..now i am tired..even i directly
removed infected registry key..
my computer especially internet is very slow in browsing and startup..
pliz help me.....
MY HIJACK LOG ..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:10 PM, on 9/28/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [lphcl58j0etdv] C:\WINDOWS\System32\lphcl58j0etdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\stg_drm.ocx
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217966420656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221691209770
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Amazing Adventures Around the World\Images\armhelper.ocx
O23 - Service: Application Layer Gateway Service ALGSchedule (ALGSchedule) - Unknown owner - C:\WINDOWS\system32\A.tmp.exe (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL Connectivity Service AOLhelpsvcMSDTCclr_optimization_v2.0.50727_32 (AOLhelpsvcMSDTCclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\system32\E.tmp.exe (file missing)
O23 - Service: Logical Disk Manager dmserverALGSchedule (dmserverALGSchedule) - Unknown owner - C:\WINDOWS\system32\13.tmp.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support helpsvcMSDTCclr_optimization_v2.0.50727_32 (helpsvcMSDTCclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\system32\8.tmp.exe (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Distributed Transaction Coordinator MSDTCclr_optimization_v2.0.50727_32 (MSDTCclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\system32\5.tmp.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) RpcSswscsvc (RpcSswscsvc) - Unknown owner - C:\WINDOWS\system32\19.tmp.exe (file missing)
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) SharedAccessWmdmPmSp (SharedAccessWmdmPmSp) - Unknown owner - C:\WINDOWS\System32\activedsx.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 5547 bytes




THANX A LOT IN ADVANCE......

#13 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:12 PM

Posted 29 September 2008 - 03:04 AM

Hello again,

You did not respond when I tried to help you before and as predicted your computer is re-infected.

If you still have a copy of combofix on your computer you will need to delete it as follows:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK ](case insensitive)


  • Posted Image
  • When shown the disclaimer, Select "2"

    The above procedure will

  • Delete ComboFix and its associated files and folders.
Then please download a new copy of ComboFix from either of these two locations
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

To resolve this issue you need to update your operating system with all the latest service packs as I told you before. Have you authenticated the system? if you are unable to do this and you believe it to be legitimate you will have to contact Microsoft directly.
Please post back today (I shall be away from home as and from tomorrow for six weeks) with all the information so that I can help you further. As previously requested please include the computers specifications.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,847 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:12 PM

Posted 29 September 2008 - 05:29 PM

Hello lifesuckedme,

I have merged your latest topic with your previous topic. Please keep all posts regarding this issue to this thread by using the Add Reply button at the bottom of the topic. Starting new topics confuses things and delays the assistance you receive.

Please STAY with this thread until you are declared clean. Just because the computer is symptom free does not mean that the infection is completely gone.

Please follow Joe London's instructions and post what he has requested.

Back to you Joe London.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 lifesuckedme

lifesuckedme
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 30 September 2008 - 03:07 PM

joe, i am extremely sorry, now only i got my post i was serching for here and there...later i came to know that i found my new post here merged with our old post,
joe..i am doing according to your suggestion...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users