Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Lot Of Adware


  • This topic is locked This topic is locked
14 replies to this topic

#1 djuice

djuice

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 09 May 2007 - 09:07 PM

I was searching for how to draw Star Wars characters and found what I thought was a good website. I clicked on "click here to watch video", and that's when the trouble started. I followed the "Preparation Guide for use before posting a hijack this log", three times this week and I'm still having problems. Virtumundo keeps showing up (sorry I forgot to put it in the topic title)

Anyway, here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:27:34 PM, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dave Miele\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ojfimput.dll",realset
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ruct] "C:\DOCUME~1\DAVEMI~1\MYDOCU~1\SSEMBL~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xgrn] C:\WINDOWS\system32\s?curity\??chost.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Z_Start.lnk = C:\Documents and Settings\Dave Miele\Desktop\zisky001.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks

Edited by djuice, 09 May 2007 - 09:14 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 10 May 2007 - 08:46 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 10 May 2007 - 02:32 PM

Hi, Sam. Thanks for helping. Here are the reults:

"Dave Miele" - 2007-05-10 15:18:08 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Dave Miele\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\boxgfalg.dll
C:\WINDOWS\system32\ojfimput.dll
C:\WINDOWS\system32\opnnlih.dll
C:\WINDOWS\system32\winjks32.dll
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\tupmifjo.ini
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\cbxwtuu.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\DAVEMI~1\STARTM~1\Programs\Startup.\z_start.lnk
C:\Program Files\install.log
C:\install.log
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\drivers\npf.sys
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\DAVEMI~1
C:\qoobox\purity\C\DOCUME~1\DAVEMI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\DAVEMI~1\MYDOCU~1\SSEMBL~1
C:\qoobox\purity\C\DOCUME~1\DAVEMI~1\MYDOCU~1\SSEMBL~1\?ssembly
C:\qoobox\purity\C\WINDOWS\ICROSO~1.NET
C:\qoobox\purity\C\WINDOWS\system32\SCURIT~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))


2007-05-09 21:00 <DIR> d-------- C:\VundoFix Backups
2007-05-07 16:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-07 08:21 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-07 07:36 <DIR> d-------- C:\DOCUME~1\DAVEMI~1\.housecall6.6
2007-05-06 13:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-05-06 10:45 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-05-06 10:45 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-06 10:45 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-05-06 10:44 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-05-06 10:44 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-05-06 10:44 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-05-06 10:44 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-05-06 10:44 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-06 07:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-05 11:11 3,720 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-05 10:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-05 10:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-05 06:17 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-05 06:16 94,208 --a------ C:\WINDOWS\system32\dnsersnd.dll
2007-05-05 06:16 <DIR> d-------- C:\WINDOWS\system32\smpi1
2007-05-05 06:16 <DIR> d-------- C:\temp\tn3
2007-05-05 06:16 <DIR> d-------- C:\temp\17O7
2007-04-12 19:49 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-04-12 19:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-04-12 19:46 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-12 19:44 <DIR> d-------- C:\Program Files\Microsoft.NET


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-10 19:19:13 -------- d-----w C:\Program Files\PeerGuardian2
2007-05-09 02:12:47 -------- d-----w C:\Program Files\Kazaa Lite
2007-05-06 17:25:12 -------- d-----w C:\Program Files\Google
2007-05-06 14:37:41 -------- d-----w C:\Program Files\Symantec
2007-05-06 14:37:41 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-06 14:37:20 -------- d-----w C:\Program Files\Norton SystemWorks
2007-05-06 12:41:04 -------- d-----w C:\Program Files\PowerISO
2007-05-06 12:35:42 -------- d-----w C:\Program Files\EZSaveFlash
2007-04-13 00:48:47 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\ATI MMC
2007-04-02 22:41:53 -------- d-----w C:\Program Files\GameHouse
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-13 01:38:29 -------- d-----w C:\Program Files\Yahoo!
2007-03-13 01:38:29 -------- d-----w C:\Program Files\XviD
2007-03-13 01:38:29 -------- d-----w C:\Program Files\WM Recorder 10
2007-03-13 01:38:28 -------- d-----w C:\Program Files\WM Recorder
2007-03-13 01:38:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-13 01:38:26 -------- d-----w C:\Program Files\WinPcap
2007-03-13 01:38:25 -------- d-----w C:\Program Files\Windows NT
2007-03-13 01:38:20 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-13 01:38:19 -------- d-----w C:\Program Files\Windows Media Connect
2007-03-13 01:38:16 -------- d-----w C:\Program Files\Windows Media Components
2007-03-13 01:38:16 -------- d-----w C:\Program Files\Windows Journal Viewer
2007-03-13 01:38:16 -------- d-----w C:\Program Files\Web Publish
2007-03-13 01:38:16 -------- d-----w C:\Program Files\WallpaperToy
2007-03-13 01:38:16 -------- d-----w C:\Program Files\vso
2007-03-13 01:38:10 -------- d-----w C:\Program Files\Visioneer
2007-03-13 01:38:08 -------- d-----w C:\Program Files\Viewpoint
2007-03-13 01:37:57 -------- d-----w C:\Program Files\VideoLAN
2007-03-13 01:37:57 -------- d-----w C:\Program Files\videofixer
2007-03-13 01:37:55 -------- d-----w C:\Program Files\Verity
2007-03-13 01:37:49 -------- d-----w C:\Program Files\VERITAS Software
2007-03-13 01:37:49 -------- d-----w C:\Program Files\vanBasco's Karaoke Player
2007-03-13 01:37:47 -------- d-----w C:\Program Files\UBISOFT
2007-03-13 01:37:45 -------- d-----w C:\Program Files\Ubi Soft
2007-03-13 01:37:45 -------- d-----w C:\Program Files\TuneUp Utilities
2007-03-13 01:37:45 -------- d-----w C:\Program Files\TryMedia
2007-03-13 01:37:45 -------- d-----w C:\Program Files\Tony Hawk
2007-03-13 01:35:40 -------- d-----w C:\Program Files\The Wonderful Wizard of Oz
2007-03-13 01:35:33 -------- d-----w C:\Program Files\The Print Shop 20
2007-03-13 01:34:26 -------- d-----w C:\Program Files\Super Collapse! 3
2007-03-13 01:34:22 -------- d-----w C:\Program Files\Sony Handheld
2007-03-13 01:34:19 -------- d-----w C:\Program Files\Sony
2007-03-13 01:34:16 -------- d-----w C:\Program Files\Sonic
2007-03-13 01:33:53 -------- d-----w C:\Program Files\Smart Projects
2007-03-13 01:33:50 -------- d-----w C:\Program Files\SlySoft
2007-03-13 01:33:50 -------- d-----w C:\Program Files\Slovak Technical Services
2007-03-13 01:33:48 -------- d-----w C:\Program Files\SiSoftware
2007-03-13 01:33:47 -------- d-----w C:\Program Files\Simpsons Jeopardy!
2007-03-13 01:33:44 -------- d-----w C:\Program Files\SesameWorkshop
2007-03-13 01:33:44 -------- d-----w C:\Program Files\Sega
2007-03-13 01:33:43 -------- d-----w C:\Program Files\SC
2007-03-13 01:33:29 -------- d-----w C:\Program Files\Roxio
2007-03-13 01:33:29 -------- d-----w C:\Program Files\RightClickGoogleSearchOpenSelectedURL
2007-03-13 01:33:29 -------- d-----w C:\Program Files\Retro Classics
2007-03-13 01:33:24 -------- d-----w C:\Program Files\ReflexiveArcade
2007-03-13 01:33:13 -------- d-----w C:\Program Files\Real
2007-03-13 01:32:53 -------- d-----w C:\Program Files\RAR Password Cracker
2007-03-13 01:32:53 -------- d-----w C:\Program Files\QuickTime
2007-03-13 01:32:34 -------- d-----w C:\Program Files\Project64 v1.5
2007-03-13 01:32:33 -------- d-----w C:\Program Files\Postal2
2007-03-13 01:32:31 -------- d-----w C:\Program Files\PopCap Games
2007-03-13 01:32:20 -------- d-----w C:\Program Files\Pinnacle
2007-03-13 01:32:01 -------- d-----w C:\Program Files\PhotoWorks
2007-03-13 01:32:01 -------- d-----w C:\Program Files\Photo Mark
2007-03-13 01:32:01 -------- d-----w C:\Program Files\PeerGuardian_1.97b
2007-03-13 01:29:04 -------- d-----w C:\Program Files\PeerGuardian pr14
2007-03-13 01:29:04 -------- d-----w C:\Program Files\PeerGuardian pr13-6
2007-03-13 01:29:04 -------- d-----w C:\Program Files\PeerGuardian pr13-5
2007-03-13 01:29:03 -------- d-----w C:\Program Files\Online Services
2007-03-13 01:29:03 -------- d-----w C:\Program Files\NStorm
2007-03-13 01:29:03 -------- d-----w C:\Program Files\Nostalgia
2007-03-13 01:28:42 -------- d-----w C:\Program Files\Nero
2007-03-13 01:28:42 -------- d-----w C:\Program Files\My Fishing Log 4
2007-03-13 01:28:39 -------- d-----w C:\Program Files\MumboJumbo
2007-03-13 01:28:37 -------- d-----w C:\Program Files\MUDRacer
2007-03-13 01:28:37 -------- d-----w C:\Program Files\MSXML 4.0
2007-03-13 01:28:36 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-13 01:28:34 -------- d-----w C:\Program Files\Movie Maker
2007-03-13 01:28:32 -------- d-----w C:\Program Files\Morovia
2007-03-13 01:28:32 -------- d-----w C:\Program Files\Microsoft Reader
2007-03-13 01:28:32 -------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2007-03-13 01:28:18 -------- d-----w C:\Program Files\Microsoft Plus!
2007-03-13 01:27:19 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-13 01:27:18 -------- d-----w C:\Program Files\Messenger
2007-03-13 01:27:18 -------- d-----w C:\Program Files\MediaMonkey
2007-03-13 01:27:16 -------- d-----w C:\Program Files\Maxtor
2007-03-13 01:27:15 -------- d-----w C:\Program Files\MARGI
2007-03-13 01:27:15 -------- d-----w C:\Program Files\LucasArts
2007-03-13 01:27:15 -------- d-----w C:\Program Files\Loco Christmas Edition
2007-03-13 01:27:13 -------- d-----w C:\Program Files\LifeGlobe
2007-03-13 01:27:13 -------- d-----w C:\Program Files\Lavasoft Refupdate
2007-03-13 01:27:12 -------- d-----w C:\Program Files\Lavasoft
2007-03-13 01:27:11 -------- d-----w C:\Program Files\JoWooD
2007-03-13 01:27:11 -------- d-----w C:\Program Files\JFK Reloaded
2007-03-13 01:27:07 -------- d-----w C:\Program Files\Jellyvision
2007-03-13 01:27:07 -------- d-----w C:\Program Files\Java Web Start
2007-03-13 01:27:00 -------- d-----w C:\Program Files\iPod
2007-03-13 01:26:59 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-13 01:26:59 -------- d-----w C:\Program Files\Intel
2007-03-13 01:26:47 -------- d-----w C:\Program Files\HP
2007-03-13 01:26:43 -------- d-----w C:\Program Files\Home Plan Software
2007-03-13 01:26:43 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-03-13 01:26:38 -------- d-----w C:\Program Files\Hewlett-Packard
2007-03-13 01:25:57 -------- d-----w C:\Program Files\GlobalSCAPE
2007-03-13 01:25:57 -------- d-----w C:\Program Files\GiPo@Utilities
2007-03-13 01:25:52 -------- d-----w C:\Program Files\Gemstar
2007-03-13 01:25:52 -------- d-----w C:\Program Files\GBA Media
2007-03-13 01:25:41 -------- d-----w C:\Program Files\Foxit Software
2007-03-13 01:25:41 -------- d-----w C:\Program Files\FlashGet
2007-03-13 01:25:41 -------- d-----w C:\Program Files\FishByte5
2007-03-13 01:25:41 -------- d-----w C:\Program Files\Extreme HU
2007-03-13 01:25:40 -------- d-----w C:\Program Files\EuroTool
2007-03-13 01:25:39 -------- d-----w C:\Program Files\Empire Interactive
2007-03-13 01:25:39 -------- d-----w C:\Program Files\Easy Video Splitter
2007-03-13 01:24:27 -------- d-----w C:\Program Files\EA GAMES
2007-03-13 01:24:27 -------- d-----w C:\Program Files\DVD Shrink
2007-03-13 01:24:26 -------- d-----w C:\Program Files\Doom 3
2007-03-13 01:23:03 -------- d-----w C:\Program Files\DLDIrc
2007-03-13 01:23:03 -------- d-----w C:\Program Files\DivX
2007-03-13 01:22:59 -------- d-----w C:\Program Files\directx
2007-03-13 01:22:59 -------- d-----w C:\Program Files\Deluxe Ski Jump 3
2007-03-13 01:22:58 -------- d-----w C:\Program Files\CyberLink
2007-03-13 01:22:56 -------- d-----w C:\Program Files\CURITEL
2007-03-13 01:22:56 -------- d-----w C:\Program Files\Common Files\xing shared
2007-03-13 01:22:54 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-13 01:22:54 -------- d-----w C:\Program Files\Common Files\Visioneer Shared
2007-03-13 01:22:36 -------- d-----w C:\Program Files\Common Files\SWF Studio
2007-03-13 01:22:31 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-13 01:22:31 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-03-13 01:22:29 -------- d-----w C:\Program Files\Common Files\Sonic
2007-03-13 01:22:29 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-13 01:22:29 -------- d-----w C:\Program Files\Common Files\Real
2007-03-13 01:22:23 -------- d-----w C:\Program Files\Common Files\PocketSoft
2007-03-13 01:22:23 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-13 01:22:23 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-13 01:22:09 -------- d-----w C:\Program Files\Common Files\L&H
2007-03-13 01:22:09 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-13 01:22:06 -------- d-----w C:\Program Files\Common Files\Gibinsoft Shared
2007-03-13 01:22:06 -------- d-----w C:\Program Files\Common Files\CyberLink
2007-03-13 01:22:04 -------- d-----w C:\Program Files\Common Files\Broderbund
2007-03-13 01:21:50 -------- d-----w C:\Program Files\Common Files\Borland Shared
2007-03-13 01:21:50 -------- d-----w C:\Program Files\Common Files\ATI
2007-03-13 01:21:50 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-13 01:21:46 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-03-13 01:21:25 -------- d-----w C:\Program Files\Common Files\Acronis
2007-03-13 01:21:02 -------- d-----w C:\Program Files\Collectorz.com
2007-03-13 01:20:26 -------- d-----w C:\Program Files\Collapser 3D
2007-03-13 01:20:24 -------- d-----w C:\Program Files\Cheetah Burner
2007-03-13 01:20:24 -------- d-----w C:\Program Files\CDisplay
2007-03-13 01:20:23 -------- d-----w C:\Program Files\CAM Development
2007-03-13 01:20:20 -------- d-----w C:\Program Files\Bubble Bobble TNA
2007-03-13 01:20:19 -------- d-----w C:\Program Files\Bubble Bobble Planet
2007-03-13 01:20:19 -------- d-----w C:\Program Files\BitTornado
2007-03-13 01:20:18 -------- d-----w C:\Program Files\BitLord
2007-03-13 01:20:17 -------- d-----w C:\Program Files\BFG
2007-03-13 01:20:17 -------- d-----w C:\Program Files\Best Buys Interactive
2007-03-13 01:20:17 -------- d-----w C:\Program Files\BabyCharts
2007-03-13 01:20:17 -------- d-----w C:\Program Files\AvRack
2007-03-13 01:20:16 -------- d-----w C:\Program Files\AVI MPEG Splitter
2007-03-13 01:20:16 -------- d-----w C:\Program Files\AVI MPEG ASF WMV Splitter
2007-03-13 01:20:16 -------- d-----w C:\Program Files\Avance Sound Manager
2007-03-13 01:20:16 -------- d-----w C:\Program Files\AtomInterSoft
2007-03-13 01:20:16 -------- d-----w C:\Program Files\ATI Technologies
2007-03-13 01:20:11 -------- d-----w C:\Program Files\ATI Multimedia
2007-03-13 01:19:47 -------- d-----w C:\Program Files\Atari
2007-03-13 01:19:46 -------- d-----w C:\Program Files\ASUS
2007-03-13 01:19:27 -------- d-----w C:\Program Files\ArcSoft
2007-03-13 01:19:06 -------- d-----w C:\Program Files\AnalogX
2007-03-13 01:19:05 -------- d-----w C:\Program Files\Amic Games
2007-03-13 01:19:05 -------- d-----w C:\Program Files\All Video Splitter
2007-03-13 01:19:04 -------- d-----w C:\Program Files\Alcohol Soft
2007-03-13 01:19:04 -------- d-----w C:\Program Files\Ahead
2007-03-13 01:18:51 -------- d-----w C:\Program Files\Advanced CD Ripper Pro
2007-03-13 01:18:06 -------- d-----w C:\Program Files\Acronis
2007-03-13 01:18:06 -------- d-----w C:\Program Files\AC3Filter
2007-03-13 01:18:05 -------- d-----w C:\Program Files\7-Zip
2007-03-13 01:18:02 -------- d-----w C:\Program Files\321Studios
2007-03-13 00:08:39 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\vlc
2007-03-13 00:08:39 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Viewpoint
2007-03-13 00:08:39 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\VERITAS
2007-03-13 00:08:38 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\TuneUp Software
2007-03-13 00:08:38 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\The Labyrinth Plus! Edition
2007-03-13 00:08:38 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Symantec
2007-03-13 00:08:38 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Sonic
2007-03-13 00:08:38 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Real
2007-03-13 00:08:19 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Leadertech
2007-03-13 00:08:18 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Lavasoft
2007-03-13 00:08:18 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Kontiki
2007-03-13 00:08:18 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Help
2007-03-13 00:08:18 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Google
2007-03-13 00:08:08 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\GlobalSCAPE
2007-03-13 00:08:08 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\DVD Shrink 3.0
2007-03-13 00:08:07 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\CyberLink
2007-03-13 00:08:07 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Broderbund Software
2007-03-13 00:08:05 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\ArcSoft
2007-03-13 00:08:04 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Apple Computer
2007-03-13 00:08:04 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Ahead
2007-03-13 00:08:04 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\AdobeUM
2007-03-13 00:07:58 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\Absolutist.com
2007-03-13 00:07:58 -------- d-----w C:\DOCUME~1\DAVEMI~1\APPLIC~1\.BitTornado
2007-03-10 16:18:34 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-03-10 16:18:34 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-03-10 16:18:28 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-10 01:39:26 14,368 ----a-w C:\WINDOWS\system32\relog_ap.dll
2007-02-10 00:06:26 17,440 ----a-w C:\WINDOWS\system32\acrotls.dll
2007-02-09 23:49:24 206,368 ----a-w C:\WINDOWS\system32\snapapi.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02F4185D-3503-4584-B8CE-296EDA44DDFE}"="C:\WINDOWS\system32\ssqro.dll" [x]
"{3E1500AC-87A5-416b-A211-82E848649DA9}"="C:\PROGRA~1\Ofb11\Ofb11.dll" [x]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{66C6FA4E-6283-4920-F249-6AE337E7AD9B}"="C:\WINDOWS\system32\bagahrr.dll" [x]
"{7c1ce531-09e9-4fc5-9803-1c2956615786}"="C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll"
"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"="C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll"
"{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}"="C:\WINDOWS\system32\dnsersnd.dll"
"{F9E5F47A-45FD-450C-91DF-81C72E1FADB0}"="C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"fbdirect"="C:\\PROGRA~1\\VISION~1\\PAPERP~1\\fbdirect.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"SManager"="smanager.7.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"ATI Launchpad"=""
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"Ruct"="\"C:\\DOCUME~1\\DAVEMI~1\\MYDOCU~1\\SSEMBL~1\\wuaclt.exe\" -vt yazb"
"Xgrn"="C:\\WINDOWS\\system32\\s?curity\\??chost.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0relog_ap\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acronis scheduler2 service
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acronistimountermonitor
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphmon05
C:\WINDOWS\system32\hphmon05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphupd05
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trueimagemonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PaperPort PTD"="c:\\progra~1\\vision~1\\paperp~1\\pptd40nt.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe -CheckReg"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
UxTuneUp



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY39Q331WVK3.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7700#MY42B220V2Q0.job
C:\WINDOWS\tasks\HP Usg Daily.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 15:23:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-10 15:25:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-10 15:25

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 10 May 2007 - 06:04 PM

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\dnsersnd.dll
    C:\WINDOWS\system32\smpi1
    C:\temp\tn3
    C:\temp\17O7



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log (where "********_******" is the "date_time")



Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 10 May 2007 - 06:52 PM

Here's the results:

LoadLibrary failed for C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\dnsersnd.dll NOT unregistered.
C:\WINDOWS\system32\dnsersnd.dll moved successfully.
C:\WINDOWS\system32\smpi1 moved successfully.
C:\temp\tn3 moved successfully.
C:\temp\17O7 moved successfully.

Created on 05/10/2007 19:46:16


I am now going to run a new hijackthis log and post it.

#6 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 10 May 2007 - 06:55 PM

Here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:13 PM, on 05/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Dave Miele\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02F4185D-3503-4584-B8CE-296EDA44DDFE} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {66C6FA4E-6283-4920-F249-6AE337E7AD9B} - C:\WINDOWS\system32\bagahrr.dll (file missing)
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ruct] "C:\DOCUME~1\DAVEMI~1\MYDOCU~1\SSEMBL~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xgrn] C:\WINDOWS\system32\s?curity\??chost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 11 May 2007 - 08:52 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {02F4185D-3503-4584-B8CE-296EDA44DDFE} - C:\WINDOWS\system32\ssqro.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {66C6FA4E-6283-4920-F249-6AE337E7AD9B} - C:\WINDOWS\system32\bagahrr.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKCU\..\Run: [Ruct] "C:\DOCUME~1\DAVEMI~1\MYDOCU~1\SSEMBL~1\wuaclt.exe" -vt yazb
O4 - HKCU\..\Run: [Xgrn] C:\WINDOWS\system32\s?curity\??chost.exe



==============



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report along with a new Hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 11 May 2007 - 06:47 PM

Here's the AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:34:00 PM 05/11/2007

+ Scan result:



HKU\S-1-5-21-854245398-1715567821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000049-8F91-4D9C-9573-F016E7626484} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxwtuu.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxxwtq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\WinZip.PRO.V10+ Keygen\WinZip 10.0 Trial Setup.exe/devenv.exe -> Backdoor.Rbot.auj : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir -> Backdoor.Small.os : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\CD Burning Software\Ahead.Nero.Burning.ROM.v6.3.1.6.Ultra.Edition.KeyGen.Only-ORiON.zip/keygen.exe -> Hijacker.Befins.b : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\dnsersnd.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Clone Cd 4.3.1.6 By monstersofmuli.redi.tk.rar/Clone Cd 4.3.1.6 By monstersofmuli.redi.tk\Clone Cd 4.3.1.6 by monstersofmuli.redi.tk\Keygen.exe -> Hijacker.Small.hl : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Keyloggers\Keylogger Pro 1.3.rar/Keylogger Pro 1.3\lz040a01-2003-11-21.rar/KeyloggerPro_crked.exe -> Not-A-Virus.Monitor.Win32.KeyLoggerPro.13 : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Password Crackers and revealers\Password Revealing Tools Windows\Password Revealing Tools Windows\Network passwords\netpass.exe -> Not-A-Virus.PSWTool.Win32.MailPassView : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Password Crackers and revealers\RAR_Password_Cracker 4.10 CRACKED.zip/rpc.exe -> Not-A-Virus.PSWTool.Win32.RARPassCrack.a : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\winjks32.dll.vir -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Cracks 2004\Paintshoppro8final.zip/Patcher.exe -> Trojan.Feutel.av : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\SafeLock\SafeLock_v0[1].99.18.zip/safelock0.99b18.exe -> Trojan.Feutel.av : Cleaned with backup (quarantined).
C:\Program Files\JFK Reloaded\JFK Reloaded v1.0.1 patch.exe -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Dave Miele\My Documents\Applications\Windows Xp Cracks and helpers\XPKey.exe -> Trojan.Small.edz : Cleaned with backup (quarantined).


::Report end

And here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:23 PM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dave Miele\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - http://msx.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{053938D8-BE0A-45A4-AAE5-D548673248E3}: NameServer = 192.168.1.1,167.206.245.68,167.206.245.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 12 May 2007 - 08:03 PM

Your log is looking pretty good.
How are things working on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 14 May 2007 - 06:31 AM

I would say about 90 percent of the adware is gone and my internet connection is much faster. I am going to run the antivirus after dinner.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 15 May 2007 - 05:27 PM

You say 90% gone, so that would mean that there are at least some issues remaining with adware. Let me know what issues you are still having and we'll get you 100% clean. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 16 May 2007 - 05:59 AM

I ran Spybot (only tracking cookies were found and finally Smitfraud doesn't show up anymore), AVG (I did the fast system scan, only tracking cookies showed up), and Stinger (nothing found). I turned on the google popup blocker and it blocked 6 popups. Only 1 got thru. I will run an AVG full system scan tonight and see if anything else comes up.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 16 May 2007 - 01:35 PM

A few popups on certain sites should be expected. But if they become excessive or start to have a common message, I would be suspicious.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 djuice

djuice
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 18 May 2007 - 05:54 PM

OK. Thanks a lot, you've helped me out. I will donate for your help.


Thanks,

Dave

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:35 AM

Posted 19 May 2007 - 07:46 PM

Sounds good! Let me know if you run into more problems.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :flowers:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users