Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Internet/network


  • Please log in to reply
36 replies to this topic

#1 javygirl178

javygirl178

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 19 May 2007 - 12:05 PM

I am having a major problme... My IE 6 is so slow...it has been acting up for over a month now, and no other computer on the same network is messed up like this one...so I know it is not our internet connection or router/modem. Half of the time I try to access the internet, my browser goes to "This page cannot be displayed" and when I am able to access it, it is slower than dial up...on high speed wireless, I was downloading a file at 1.5kb/s the other night...and no one else was using our bandwidth.

One other issue I'm having...I will type in google.com and it will redirect me a few times and eventually I'll land at www.google.com.org or something weird like that. Even when I type in www.google.com it does this. After a couple of times of it doing this, it will direct me properly to google. It is just not performing like it has in the past. I have scanned for viruses, adaware, spyware etc but nothing seems to help. It has startd this about a month ago. I am not having any other type of computer problems. Just with the internet. ANY help is greatly appreciated!! Here is myhijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:51 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Quicken\qw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/...ad/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.4.105.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1149517580328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149560709281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam5.brett-robinson.com/activ...CamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1BD251-6FAE-460C-AA08-35B86602D3F5}: NameServer = 205.152.37.23,205.152.132.23
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 22 May 2007 - 08:35 AM

Howdy javygirl178,


No infection showing here. For now let's take a different look at things and review again after.

Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.
Ad eundum quo no duck ante iit

#3 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 24 May 2007 - 11:14 PM

Thanks for your help...here's the info requested.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MySpaceIM" = "C:\Program Files\MySpace\IM\MySpaceIM.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"HPHUPD08" = "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" ["Hewlett-Packard"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{bf00e119-21a3-4fd1-b178-3b8537e75c92}\(Default) = "MegaIEMn"
-> {HKLM...CLSID} = "IeMonitorBho Class"
\InProcServer32\(Default) = "C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll" ["Megaupload Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Queen Rachel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Queen Rachel" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 19 seconds for message boxes)

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 25 May 2007 - 09:40 AM

No new infection info in that. You do have an ActiveX item that who's source site is listed as not trustworthy, and some registry policy settings, though not enabled here, that are often seen when a system has undergone changes due to infection. Let's change and check more.



Download : HostsXpert, and have it ready for use.

Run HostsXpert. Press the Restore Original Hosts button and then press the OK button. This is intended to restore your original Hosts settings in case some unwanted change is involved in those site access redirects. You mention being on a network, so if your Hosts settings were made by some net administrator, be sure to check first before making these changes.



Then close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)




Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Ad eundum quo no duck ante iit

#5 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 27 May 2007 - 12:20 AM

Here's the ComboFix.exe results. If you need another HJT log let me know. Thanks!


"Queen Rachel" - 2007-05-27 0:10:20 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Queen Rachel\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\NDNuninstall6_38.exe"
"C:\WINDOWS\system32\components"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-23 21:56 <DIR> d-------- C:\WINDOWS\LastGood
2007-05-23 21:56 <DIR> d-------- C:\DECCHECK
2007-05-19 00:50 218,112 --a------ C:\Analyse.exe
2007-05-18 19:24 <DIR> d-------- C:\Program Files\filesubmit
2007-05-01 23:21 10,178,560 --a------ C:\Documents and Settings\QUEENR~1\ntuser.dat
2007-05-01 23:21 10,178,560 --a------ C:\DOCUME~1\QUEENR~1\ntuser.dat
2007-04-29 17:13 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-04-29 17:13 19,200 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2007-04-29 17:13 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 00:04:06 -------- d-----w C:\Program Files\PicSizer
2007-05-16 05:41:46 -------- d-----w C:\Program Files\ArcSoft
2007-05-08 02:53:12 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\LimeWire
2007-05-07 05:20:51 -------- d-----w C:\Program Files\XoftSpy
2007-05-07 04:50:22 -------- d-----w C:\Program Files\Xilisoft
2007-05-05 01:10:24 -------- d-----w C:\Program Files\Trillian
2007-04-16 02:39:09 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\Offline Explorer
2007-04-15 04:27:28 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\acccore
2007-04-14 20:56:56 -------- d-----w C:\Program Files\FRONTIER GROOVE
2007-04-14 20:56:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-14 20:54:34 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\tunebite
2007-04-14 08:01:04 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\BitTorrent
2007-04-07 07:12:43 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-04-01 20:15:50 -------- d-----w C:\Program Files\Setup Files
2007-03-30 04:09:33 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\RTPlayer
2007-03-29 12:51:40 -------- d-----w C:\Program Files\WMAConvert
2007-03-27 00:01:30 513,152 ----a-w C:\WINDOWS\system32\WmaCDriverV32.sys
2007-03-27 00:01:30 513,152 ----a-w C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
2007-03-16 10:19:23 88,340 ----a-w C:\WINDOWS\system32\cbccdfho.exe
2007-03-16 10:18:45 1,153,025 --sh--w C:\WINDOWS\system32\rqstv.bak2
2007-03-15 07:06:19 88,340 ----a-w C:\WINDOWS\system32\dncswmdh.exe
2007-03-14 06:34:18 1,126,772 --sh--w C:\WINDOWS\system32\rqstv.bak1
2007-03-14 06:24:41 6,801 --sha-w C:\WINDOWS\system32\cccdd.ini2
2007-02-27 20:24:34 69,632 ----a-w C:\WINDOWS\Shutterfly Studio Screen Saver.scr
2006-04-27 16:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-10-24 17:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 03:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-08 01:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 18:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-05-13 23:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-02-28 19:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2004-01-25 06:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2007-02-15 19:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 10:35]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 17:31]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-05-12 00:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-06 23:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Quick Tools NT.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Startup Options.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Slide.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149215974\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\IOMG_NT\REGISTER\remind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
"C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

*Newly Created Service* -PROCEXP90


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070527-000825-147
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070527-000826-368
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

backup-20070316-095348-768
O20 - Winlogon Notify: wvutuss - wvutuss.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvutuss]
"Asynchronous"=dword:00000001
"DllName"="wvutuss.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"



backup-20070316-095348-392
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000



backup-20070316-095347-521
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/b...7207/MILive.cab

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????`??????????????????????????????????????????????????????????????4?????n???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095348-749
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

backup-20070316-095347-220
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - https://www.contentwatch.com/audit/includes...uditControl.cab

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095346-897
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095346-190
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095346-266
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab

???????????????????????????????????????????????????????????????????????‡???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????‡??????????????????????????????????????????????????????‡???????????????????????????????????????????????????????????????????????????????????????????????=??????????????????????????????????????????????????????????????????‡??????????????????????????????????????????????????????????????????????????????????=??????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095346-262
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070316-095346-272
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

???????????????????????????????????????????4?????????????????????????????????????????????????????????????????????????????????????????????????????4???=???????????????????????????????????????????????????????????

backup-20070316-095345-990
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search

backup-20070316-095346-603
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

backup-20070316-095346-137
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20070316-095346-404
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

backup-20070316-095346-315
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20070316-095346-105
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27

backup-20070316-095346-500
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search

backup-20060823-090538-833
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

backup-20060823-014955-576
O20 - Winlogon Notify: h618 - C:\WINDOWS\g50296484.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\h618]
"DLLName"="C:\\WINDOWS\\g50296484.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"



backup-20060823-014955-270
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060823-014955-241
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060823-014955-247
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

backup-20060823-014955-578
O15 - Trusted Zone: *.elitemediagroup.net

backup-20060823-014955-380
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

backup-20060823-014955-113
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)

backup-20060823-014954-717
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g47949906.dll

backup-20060823-014954-994
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsyCF.dll

backup-20060823-014954-903
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)

backup-20060823-014954-215
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\System32\urqoomk.dll (file missing)

backup-20060823-014954-341
O2 - BHO: (no name) - {17BF287A-145D-4D41-A0D2-7F3FE2F03923} - C:\WINDOWS\System32\ddaba.dll (file missing)
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 00:13:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 0:14:25
C:\ComboFix-quarantined-files.txt ... 2007-05-27 00:14

--- E O F ---

#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 27 May 2007 - 11:24 AM

Definitely some infection aboard, though perhaps some is from an older time of infection there. Looks like you have been using HijackThis to make other changes, including removing non-infection items. Can't really recommend that, both because it was not designed as something that might provide simple views to be quickly altered, and making changes without knowing the outcomes of those may cause some serious system damage. More items to remove now though, and we'll check again after that.



Download The Avenger from here to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Files to delete:
C:\WINDOWS\system32\cbccdfho.exe
C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\dncswmdh.exe
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\cccdd.ini2

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.


=================================================

Once your computer has rebooted, download the trial version of AVG Anti-Spyware 7.5 from here and install it.

If you have an existing copy of Ewido (which this software replaces), agree to the uninstall notification and uninstall Ewido. Reboot after. Then click the AVG download file again to install the software. (If you have a paid version of Ewido installed, go here to follow the steps to upgrade that now.)



After installation, double-click the icon on your Desktop to launch AVG Anti-Spyware 7.5.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware 7.5 to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware 7.5 (don't scan just yet).
--------------------------------

Then go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.



================================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).



Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.


=========================================

Reboot to normal mode, and run and post back a new ComboFix and HijackThis scan, along with the avenger.txt log and the AVG log please.
Ad eundum quo no duck ante iit

#7 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 May 2007 - 09:21 PM

Thanks so much for your continued help...here are the logs you requested.
One note...on the AVG program, I had already had the trial installed on mycomputer but it expired...so when I re-downloaded and installed it again, it just went straight to the free version, not allowing me to make the Shield inactive...but I did the update and scan as you asked anyway.

ComboFix
"Queen Rachel" - 2007-05-29 21:12:33 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Queen Rachel\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-29 19:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-29 19:22 <DIR> d-------- C:\DOCUME~1\QUEENR~1\APPLIC~1\DivX
2007-05-29 19:19 <DIR> d-------- C:\avenger
2007-05-29 19:12 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-29 19:12 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-29 19:12 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-29 19:12 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-05-29 19:12 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-05-29 19:12 <DIR> d-------- C:\Program Files\DivX
2007-05-27 00:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 21:56 <DIR> d-------- C:\DECCHECK
2007-05-19 00:50 218,112 --a------ C:\Analyse.exe
2007-05-18 19:24 <DIR> d-------- C:\Program Files\filesubmit
2007-05-11 11:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-10 22:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-10 22:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-10 22:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-10 22:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-01 23:21 10,178,560 --a------ C:\Documents and Settings\QUEENR~1\ntuser.dat
2007-05-01 23:21 10,178,560 --a------ C:\DOCUME~1\QUEENR~1\ntuser.dat
2007-04-29 17:13 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-04-29 17:13 19,200 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2007-04-29 17:13 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 23:17:07 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\LimeWire
2007-05-27 20:21:29 -------- d-----w C:\Program Files\PicSizer
2007-05-16 05:41:46 -------- d-----w C:\Program Files\ArcSoft
2007-05-07 05:20:51 -------- d-----w C:\Program Files\XoftSpy
2007-05-07 04:50:22 -------- d-----w C:\Program Files\Xilisoft
2007-05-05 01:10:24 -------- d-----w C:\Program Files\Trillian
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-16 02:39:09 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\Offline Explorer
2007-04-15 04:27:28 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\acccore
2007-04-14 20:56:56 -------- d-----w C:\Program Files\FRONTIER GROOVE
2007-04-14 20:56:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-14 20:54:34 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\tunebite
2007-04-14 08:01:04 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\BitTorrent
2007-04-07 07:12:43 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-04-01 20:15:50 -------- d-----w C:\Program Files\Setup Files
2007-03-30 04:09:33 -------- d-----w C:\DOCUME~1\QUEENR~1\APPLIC~1\RTPlayer
2007-03-29 12:51:40 -------- d-----w C:\Program Files\WMAConvert
2007-03-27 00:01:30 513,152 ----a-w C:\WINDOWS\system32\WmaCDriverV32.sys
2006-04-27 16:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-10-24 17:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 03:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-08 01:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 18:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 21:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-05-13 23:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-02-28 19:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 06:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2004-01-25 06:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2007-02-15 19:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 10:35]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Quick Tools NT.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Startup Options.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Slide.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149215974\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\IOMG_NT\REGISTER\remind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
"C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 21:15:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 21:16:04
C:\ComboFix-quarantined-files.txt ... 2007-05-27 00:14
C:\ComboFix2.txt ... 2007-05-27 00:14

--- E O F ---


HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 9:17:06 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.4.105.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149517580328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149560709281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam5.brett-robinson.com/activex/AxisCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1BD251-6FAE-460C-AA08-35B86602D3F5}: NameServer = 205.152.37.23,205.152.132.23
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



Avenger.txt
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wmwxbyfj

*******************

Script file located at: \??\C:\WINDOWS\system32\bxnbqibg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\cbccdfho.exe deleted successfully.
File C:\WINDOWS\system32\rqstv.bak2 deleted successfully.
File C:\WINDOWS\system32\dncswmdh.exe deleted successfully.
File C:\WINDOWS\system32\rqstv.bak1 deleted successfully.
File C:\WINDOWS\system32\cccdd.ini2 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


AVG log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:03:48 PM 5/29/2007

+ Scan result:



C:\Program Files\filesubmit\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP45\A0005654.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP63\A0008700.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP45\A0005653.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 May 2007 - 11:09 PM

A bit more with AVG locating and removing some NewDotNet infection files, but no clear items suggesting your net problems.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.


1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt<-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner).

Make sure you notice the extra.txt second log that will show as minimized on your Task Bar, "Maximize" that and be sure to paste those contents here as well.
Ad eundum quo no duck ante iit

#9 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 30 May 2007 - 06:12 PM

MAIN TXT:
Deckard's System Scanner v20070426.43
Run by Queen Rachel on 2007-05-30 at 18:06:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
67: 2007-05-31 00:06:39 UTC - RP68 - Deckard's System Scanner Restore Point
66: 2007-05-30 21:10:05 UTC - RP67 - System Checkpoint
65: 2007-05-29 20:52:18 UTC - RP66 - System Checkpoint
64: 2007-05-28 19:52:19 UTC - RP65 - System Checkpoint
63: 2007-05-27 19:23:04 UTC - RP64 - System Checkpoint


-- First Restore Point --
1: 2007-03-16 05:13:12 UTC - RP2 - Spyware/Malware removal 31507


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Queen Rachel.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:07:32 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Queen Rachel\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Queen Rachel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.4.105.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149517580328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149560709281
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam5.brett-robinson.com/activex/AxisCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat2.j2.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1BD251-6FAE-460C-AA08-35B86602D3F5}: NameServer = 205.152.37.23,205.152.132.23
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20060823-014954-215 O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\System32\urqoomk.dll (file missing)
backup-20060823-014954-341 O2 - BHO: (no name) - {17BF287A-145D-4D41-A0D2-7F3FE2F03923} - C:\WINDOWS\System32\ddaba.dll (file missing)
backup-20060823-014954-717 O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g47949906.dll
backup-20060823-014954-903 O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
backup-20060823-014954-994 O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsyCF.dll
backup-20060823-014955-113 O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
backup-20060823-014955-241 O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
backup-20060823-014955-247 O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
backup-20060823-014955-270 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
backup-20060823-014955-380 O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
backup-20060823-014955-576 O20 - Winlogon Notify: h618 - C:\WINDOWS\g50296484.dll (file missing)
backup-20060823-014955-578 O15 - Trusted Zone: *.elitemediagroup.net
backup-20060823-090538-833 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20070316-095345-990 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
backup-20070316-095346-105 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/kjkutie27
backup-20070316-095346-137 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070316-095346-190 O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
backup-20070316-095346-262 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20070316-095346-266 O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
backup-20070316-095346-272 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20070316-095346-315 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070316-095346-404 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20070316-095346-500 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
backup-20070316-095346-603 O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
backup-20070316-095346-897 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20070316-095347-220 O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - https://www.contentwatch.com/audit/includes...uditControl.cab
backup-20070316-095347-521 O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/b...7207/MILive.cab
backup-20070316-095348-392 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
backup-20070316-095348-749 O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
backup-20070316-095348-768 O20 - Winlogon Notify: wvutuss - wvutuss.dll (file missing)
backup-20070527-000825-147 O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
backup-20070527-000826-368 O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 WmaCDriverV32 - c:\windows\system32\drivers\wmacdriverv32.sys <Not Verified; Windows ® 2000/XP; Windows ® 2000/XP Driver>

S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 FTDIBUS (USB Serial Converter Driver) - c:\windows\system32\drivers\ftdibus.sys <Not Verified; FTDI Ltd.; FTDIChip VCP Driver>
S3 FTSER2K (USB Serial Port Driver) - c:\windows\system32\drivers\ftser2k.sys <Not Verified; FTDI Ltd.; FTDIChip VCP Driver>
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Files created between 2007-04-30 and 2007-05-30 -----------------------------

2007-05-29 23:43:58 0 d-------- C:\Program Files\ImTOO
2007-05-29 19:22:20 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\DivX
2007-05-29 19:19:28 0 d-------- C:\avenger
2007-05-29 19:12:14 0 d-------- C:\Program Files\DivX
2007-05-23 21:56:00 0 d-------- C:\DECCHECK
2007-05-19 00:50:45 218112 --a------ C:\Analyse.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2007-05-18 19:24:57 0 d-------- C:\Program Files\filesubmit
2007-05-11 11:54:15 524288 --a------ C:\WINDOWS\system32\DivXsm.exe <Not Verified; DivX Inc.; DivX Inc. divxsm>
2007-05-10 22:37:15 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-10 22:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-10 22:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-10 22:37:15 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-01 23:21:49 10178560 --a------ C:\Documents and Settings\Queen Rachel\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2007-05-27 17:17:07 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\LimeWire
2007-05-27 14:21:29 0 d-------- C:\Program Files\PicSizer
2007-05-27 00:40:03 139 ---hs---- C:\Documents and Settings\Queen Rachel\Application Data\.zreglib
2007-05-15 23:41:46 0 d-------- C:\Program Files\ArcSoft
2007-05-06 23:20:51 0 d-------- C:\Program Files\XoftSpy
2007-05-06 22:50:22 0 d-------- C:\Program Files\Xilisoft
2007-05-05 14:07:07 276040 --a------ C:\amt1
2007-05-04 19:10:24 0 d-------- C:\Program Files\Trillian
2007-04-22 18:15:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-22 18:15:18 200704 --a------ C:\WINDOWS\system32\ssldivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-04-22 18:15:18 1044480 --a------ C:\WINDOWS\system32\libdivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-04-22 18:02:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-04-22 18:02:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-04-22 18:02:33 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI10>
2007-04-22 18:02:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll <Not Verified; DivXNetworks; DivXNetworks dpv11>
2007-04-22 18:02:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll <Not Verified; DivXNetworks; DivXNetworks dpus11>
2007-04-22 18:02:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI11>
2007-04-22 18:02:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-04-22 18:02:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-04-22 18:01:47 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-15 20:39:09 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\Offline Explorer
2007-04-14 22:27:28 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\acccore
2007-04-14 22:25:33 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\Mozilla
2007-04-14 14:56:56 0 d-------- C:\Program Files\FRONTIER GROOVE
2007-04-14 14:56:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-14 14:54:34 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\tunebite
2007-04-14 02:01:04 0 d-------- C:\Documents and Settings\Queen Rachel\Application Data\BitTorrent
2007-04-07 01:12:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-04-01 14:15:50 0 d-------- C:\Program Files\Setup Files
2007-03-26 18:01:30 513152 --a------ C:\WINDOWS\system32\WmaCDriverV32.sys <Not Verified; Windows ® 2000/XP; Windows ® 2000/XP Driver>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{bf00e119-21a3-4fd1-b178-3b8537e75c92} C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"ShutterflyStudio"="C:\\Program Files\\Shutterfly\\Studio\\BIN\\SFlyStudio.exe /trayonly"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Quick Tools NT.lnk]
"location"="Startup"
"item"="Iomega Quick Tools NT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Iomega Startup Options.lnk]
"location"="Startup"
"item"="Iomega Startup Options"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Queen Rachel^Start Menu^Programs^Startup^Slide.exe.lnk]
"location"="Startup"
"item"="Slide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKCU"
"command"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1149215974\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="remind"
"hkey"="HKCU"
"command"=" C:\\IOMG_NT\\REGISTER\\remind.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TotRecSched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-30 at 18:08:23 ---------



EXTRA TXT:
Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1023 MiB / 656.13 MiB
Pagefile Memory (total/avail): 2464.07 MiB / 2134.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1974.3 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.83 GiB total, 16.79 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (Unformatted)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.472 v7.5.472 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Queen Rachel\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TMALMEIDA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Queen Rachel
LOGONSERVER=\\TMALMEIDA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\QUEENR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\QUEENR~1\LOCALS~1\Temp
USERDOMAIN=TMALMEIDA
USERNAME=Queen Rachel
USERPROFILE=C:\Documents and Settings\Queen Rachel
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Queen Rachel (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21B6F79B-2286-4BB0-B1E3-BA6B9498D110}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D1A81AA-ED90-11D6-86D3-00055DF3561E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3568156-59C3-42DF-A520-2C25B6706C91}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AQUAZONE "Virtual Aquarium Collection" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6A9D7C4-1E5B-42FD-98F5-E067A942AEE1}\Setup.exe" -l0x9
ArcSoft Camera Studio --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Camera Studio\Uninst.isu"
ArcSoft ShowBiz 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{791B20D4-AE59-4DE9-B45F-BA01F3D0A493}\Setup.exe" -l0x9
ASAP Utilities --> "C:\Program Files\ASAP Utilities\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
bambi4444.zip --> C:\PROGRA~1\FILESU~1\BAMBI4~1.ZIP\UNWISE.EXE C:\PROGRA~1\FILESU~1\BAMBI4~1.ZIP\INSTALL.LOG
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BitTorrent 4.26.0 --> "C:\Program Files\BitTorrent\uninstall.exe"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Collage Maker 2.03 --> C:\PROGRA~1\COLLAG~1\Setup.exe /remove
Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Vision M --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}\SETUP.EXE" -l0x9 /remove
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX to DVD Converter --> C:\Program Files\ImTOO\DivX to DVD Converter\Uninstall.exe
EPSON Copy Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}\setup.exe" -l0x9 MyUninstall
EPSON Scan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\SETUP.EXE" -l0x9 UNINSTALL
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x9 Uninstall
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
File Scavenger 3.0 --> "C:\Program Files\File Scavenger 3.0\unins000.exe"
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
FTDI USB Serial Converter Drivers --> C:\WINDOWS\System32\ftdiunin.exe C:\WINDOWS\System32\ftdiun2k.ini
HP DC3000 --> MsiExec.exe /I{F6B252D4-39FF-4A76-8E34-DF86DB0C5149}
HP DVD Movie Writer --> "C:\Program Files\HP DVD\Support\Uninstall.exe" /UNINSTALL
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Lexmark Z600 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\LimeWire 4.0.8\uninstall.exe"
MA101 USB Adapter Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B46834CC-141E-11D5-A76F-0030AB007078}\SetUp.EXE"
Mega Manager --> C:\Program Files\InstallShield Installation Information\{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
MP3 To Ringtone Gold 3.16 --> "C:\Program Files\AnMing\unins000.exe"
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NCR Label Formats for MS Word Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NCR Media Formats\Uninst.isu"
Nero 6 Enterprise Edition --> C:\Program Files\Nero\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 3 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Personal ImageManager --> C:\PROGRA~1\ALLUME~1\PERSON~1\Setup.exe /remove
PicSizer --> C:\WINDOWS\unvise32.exe C:\Program Files\PicSizer\uninstal.log
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SDP Downloader --> C:\WINDOWS\uninst.exe -f"C:\Program Files\SDP\SDP Downloader\DeIsL1.isu" -c"C:\Program Files\SDP\SDP Downloader\_ISREG32.DLL"
Shutterfly Studio --> C:\Program Files\Shutterfly\Studio\SFlyStudioUninstall.exe
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPER © Version 2006.19 (FIX) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Total Recorder 6.0 --> "C:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
USB 2.0 Single Slot Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE6DBEA8-CD29-11D7-9A01-AFACDE407D23}\Setup.exe" -l0x9
VGA Dual Camera --> MsiExec.exe /X{44E75850-B838-43D2-8F37-84D3FB71FF6E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WMAConvert 2.2.7 --> "C:\Program Files\WMAConvert\unins000.exe"
XoftSpy --> C:\Program Files\XoftSpy\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zoo Tycoon: Complete Collection --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove


-- End of Deckard's System Scanner: finished at 2007-05-30 at 18:08:23 ---------

#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 31 May 2007 - 12:39 PM

Not much new there. Let's check something - open Internet Explorer and clear the address bar. Then type google by itself, so only google shows in the address bar (no www prefix or .com suffix). Then at one time press Ctrl - Alt - Shift. This will complete the address you typed to whatever is currently set there - copy/paste here what it changes google to.
Ad eundum quo no duck ante iit

#11 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 31 May 2007 - 06:41 PM

It didnt do anything. I typed google by itself and pressed those 3 keys and it just kept google up there.

#12 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 31 May 2007 - 10:31 PM

Try Ctrl - Alt - Enter, and see what that defaults to. Again only type the single word entry.
Ad eundum quo no duck ante iit

#13 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 03 June 2007 - 08:50 PM

When I used CTRL ALT ENTER, it directed me to this site and displayed this inthe address bar:

http://search.msn.com/results.aspx?srch=10...S5&q=google

#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 03 June 2007 - 09:14 PM

Given the level of past Vundo activity there and files located more recently best if we run a scan particular to some of that type infection. Let's also see about restoring some of the defaults to IE there to see if that can be corrected.


Go here and download and run the IEfix.


Then disable your antivirus program and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.
Ad eundum quo no duck ante iit

#15 javygirl178

javygirl178
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 04 June 2007 - 10:34 PM

Ok, it foudn a bunch of junk in there...here's the html result file. Also, on the IEFix thing, it kept saying it couldnt find some files to copy from or to and to insert the XP SP2 cd, but I dont have a CD for that because I just did the windows update thing...so I had to skip those files. I can rerun it if I need to but I dont know how to find those files.

ANyway, here'sthe BitDefender results:

BitDefender Online Scanner



Scan report generated at: Mon, Jun 04, 2007 - 22:20:30





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;







Statistics

Time
01:12:16

Files
266549

Folders
5276

Boot Sectors
3

Archives
2471

Packed Files
9711




Results

Identified Viruses
15

Infected Files
30

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
35




Engines Info

Virus Definitions
511831

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\$VAULT$.AVG\15591109.FIL
Suspected of: Trojan.Downloader.Small.BCB

C:\$VAULT$.AVG\15591109.FIL
Disinfection failed

C:\$VAULT$.AVG\15591109.FIL
Deleted

C:\$VAULT$.AVG\30653110.FIL
Infected with: Trojan.Dropper.Klone.B

C:\$VAULT$.AVG\30653110.FIL
Disinfection failed

C:\$VAULT$.AVG\30653110.FIL
Deleted

C:\$VAULT$.AVG\30653235.FIL
Infected with: Trojan.Dropper.Klone.B

C:\$VAULT$.AVG\30653235.FIL
Disinfection failed

C:\$VAULT$.AVG\30653235.FIL
Deleted

C:\avenger\backup.zip=>avenger/cbccdfho.exe
Infected with: Trojan.Agent.ACL

C:\avenger\backup.zip=>avenger/cbccdfho.exe
Disinfection failed

C:\avenger\backup.zip=>avenger/cbccdfho.exe
Deleted

C:\avenger\backup.zip
Updated

C:\avenger\backup.zip=>avenger/dncswmdh.exe
Infected with: Trojan.Agent.ACL

C:\avenger\backup.zip=>avenger/dncswmdh.exe
Disinfection failed

C:\avenger\backup.zip=>avenger/dncswmdh.exe
Deleted

C:\avenger\backup.zip
Updated

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\2FUBIVW3\easyxxx[1].js
Detected with: Application.JS.ForcePopup.I

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\2FUBIVW3\easyxxx[1].js
Disinfection failed

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\2FUBIVW3\easyxxx[1].js
Deleted

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\41E9YZI1\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\41E9YZI1\popup[1].htm
Disinfection failed

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\41E9YZI1\popup[1].htm
Deleted

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\YZIVQ3AZ\popup[1].htm
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\YZIVQ3AZ\popup[1].htm
Disinfection failed

C:\Documents and Settings\Queen Rachel\Local Settings\Temporary Internet Files\Content.IE5\YZIVQ3AZ\popup[1].htm
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE g)
Infected with: Trojan.Obfus.Gen

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 2g)
Infected with: Trojan.Starter.V

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 2g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 3g)
Infected with: Trojan.Klone.A

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 3g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 3g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 4g)
Infected with: Generic.Zlob.8E129D32

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 4g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 4g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 5g)
Infected with: Trojan.Downloader.Zlob.TZ

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 5g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 5g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 6g)
Infected with: Trojan.Obfus.Gen

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 6g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 6g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 7g)
Infected with: Trojan.Obfus.Gen

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 7g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy=>(Embedded EXE 7g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-08-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE g)
Infected with: Generic.Zlob.C69CF8EE

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 2g)
Infected with: Generic.Zlob.453F4D9C

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 2g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 3g)
Infected with: Generic.Zlob.35FC4A24

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 3g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy=>(Embedded EXE 3g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine18-08-2006-21-19-15.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE g)
Infected with: Trojan.Obfus.Gen

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 2g)
Infected with: Trojan.Starter.V

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 2g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 3g)
Infected with: Trojan.Downloader.VB.TS

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 3g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy=>(Embedded EXE 3g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine19-08-2006-10-38-42.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine25-02-2007-23-29-38.xpy=>(Embedded EXE g)
Infected with: Trojan.Agent.ACL

C:\Program Files\XoftSpy\Quarantine\Quarantine25-02-2007-23-29-38.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine25-02-2007-23-29-38.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine25-02-2007-23-29-38.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-47-34.xpy=>(Embedded EXE g)
Infected with: Generic.Zlob.9415E5AB

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-47-34.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-47-34.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-47-34.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE g)
Infected with: DeepScan:Generic.Zlob.B8426A98

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE 2g)
Infected with: Trojan.Downloader.Zlob.QB

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE 2g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine30-06-2006-02-53-03.xpy
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0017
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0017
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0018=>(CAB Sfx r)=>VVSN.exe
Infected with: Generic.Adw.SaveNow.56AD4696

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0018=>(CAB Sfx r)=>VVSN.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0018=>(CAB Sfx r)=>VVSN.exe
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP37\A0003250.exe=>wise0018=>(CAB Sfx r)
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0015
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0015
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0016=>(CAB Sfx r)=>VVSN.exe
Infected with: Generic.Adw.SaveNow.56AD4696

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0016=>(CAB Sfx r)=>VVSN.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0016=>(CAB Sfx r)=>VVSN.exe
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP60\A0008488.exe=>wise0016=>(CAB Sfx r)
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008830.exe
Infected with: Trojan.Agent.ACL

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008830.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008830.exe
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008831.exe
Infected with: Trojan.Agent.ACL

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008831.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0008831.exe
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0010849.EXE
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP66\A0010849.EXE
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP69\A0012031.exe=>(CAB Sfx r)=>VVSN.exe
Infected with: Generic.Adw.SaveNow.56AD4696

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP69\A0012031.exe=>(CAB Sfx r)=>VVSN.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP69\A0012031.exe=>(CAB Sfx r)=>VVSN.exe
Deleted

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP69\A0012031.exe=>(CAB Sfx r)
Update failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP73\A0012294.exe
Infected with: Trojan.Patch.F

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP73\A0012294.exe
Disinfection failed

C:\System Volume Information\_restore{EEB7E670-AF2D-4387-9E9C-C44F58775A17}\RP73\A0012294.exe
Deleted

C:\WINDOWS\system32\jucrevty.exe
Infected with: Trojan.Agent.ACL

C:\WINDOWS\system32\jucrevty.exe
Disinfection failed

C:\WINDOWS\system32\jucrevty.exe
Deleted




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users