Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Worm_rontkbr.gen & Win32/marketscore.b


  • Please log in to reply
8 replies to this topic

#1 klynne66

klynne66

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 01 July 2007 - 09:13 PM

I followed the "Prep Guide For Use Before Posting HijackThis Log" step by step and the following infections were detected on my system:

WORM_RONTKBR.GEN
Win32/Marketscore.B
Win32/WhenU.SaveNow
Win32/NewDotNet
Win32/SoundSnooper
application/myway
application/MyWay
Cookie/Com.com
Adware/ActiveSearch
Adware/KeenValue
Adware/WhenUSearch
Adware_BHO_MySearch
Adware_MediaForge
Adware/NaviPromo
Malware Generic
Spyware_KEYL_Astlog
TSPY_Delf
WORM_RONTKBR.GEN
TROJ_OBFUSCAT

I deleted the files that were found to be infected that all software mentioned in guide reported even though some were said to have been removed successfully by program(s).

(FYI: not new at computers so it's not as if I blindly just start deleting things that I'm not supposed to)

Anyway, my registry appears to be hijacked by who or what I don't know...I found alot of my apps have had "dummies" created so I'm not even in control anymore...my display at times just doesn't look normal, fonts are just a bit different and also behavior of opening windows and such sometimes appear to be being drawn...I hope I'm describing it well enough..I've been working on this for last few days so please bear with me.

My options/preferences that I choose automically get changed to benefit who-whatever is doing this and if this helps I found a name that I kept coming across as the "owner" of alot of my software I have installed that I know darn well it wasn't when installed, and it is "Borland/Delphi/RTL". Anyone familiar with this???

Also, added to my desktop is "My Network Places" > "Entire Network" > "Microsoft Windows Network" > "Mshome" > (Empty). I did not do this and it won't let me move it, delete it, nothing.

I am submitting my HijackThis Log and if anyone out there can instruct me on how to clean this mess up I would be wholeheartedly forever grateful. Thanks in advance for your time.



Logfile of HijackThis v1.99.1
Scan saved at 9:05:20 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.keithurbanfans.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Search Current News - file://\program files\powershell-xp3\search5.htm
O8 - Extra context menu item: Search Encyclopedia - file://\program files\powershell-xp3\search4.htm
O8 - Extra context menu item: Search for Images - file://\program files\powershell-xp3\search3.htm
O8 - Extra context menu item: Search Newsgroups - file://\program files\powershell-xp3\search2.htm
O8 - Extra context menu item: Search the Web - file://\program files\powershell-xp3\search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendsecure.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edited by klynne66, 01 July 2007 - 10:59 PM.


BC AdBot (Login to Remove)

 


#2 klynne66

klynne66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 02 July 2007 - 09:50 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:48:23 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.keithurbanfans.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Search Current News - file://\program files\powershell-xp3\search5.htm
O8 - Extra context menu item: Search Encyclopedia - file://\program files\powershell-xp3\search4.htm
O8 - Extra context menu item: Search for Images - file://\program files\powershell-xp3\search3.htm
O8 - Extra context menu item: Search Newsgroups - file://\program files\powershell-xp3\search2.htm
O8 - Extra context menu item: Search the Web - file://\program files\powershell-xp3\search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendsecure.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 11 July 2007 - 09:18 PM

Hi klynne66,

Our apologiies for the delay. If you still need help, please post a new log so I can see if anything has changed. If you have not done so already, please do the initial cleanup steps in the following instructions before posting your new log: Preparation Guide For Use Before Posting A Hijackthis Log

A new version of HijackThis has now been released, so before you repost your log please download and install the new version. In order to get some additional information please do this in the following way:

1. Open Add or Remove Programs via Control Panel and uninstall HijackThis 1.99.1
2. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges and it is best to run DSS from your Desktop.
3. Close all applications and windows.
4. Double-click on dss.exe to run it, and OK the disclaimer.
5. When the screen in the image below appears, click Yes and follow the promts to download the new version of HijackThis. Please tell your firewall to allow this download.

Posted Image

Note that a shortcut to HijackThis will appear on your desktop and you can run it from there when asked for a follow up log.

6. DSS will now scan your computer. If you get a warning from your anit-virus, please allow it as the scan is not harmful.
7. When complete, two text files will open - main.txt that will include a HijackThis log<- this one will be maximized and extra.txt <-this one will be minimized
8. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 klynne66

klynne66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 13 July 2007 - 03:38 AM

thanks for getting back to me. I'm currently following your instructions so please don't delete me. My computer is real slow so it'll take some time. Thanks again.

#5 klynne66

klynne66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 13 July 2007 - 09:59 AM

after copying and pasting both txt files - a message from Grinler popped up telling me I was using the beta version and to download new version so I did and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:26 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\PortReporter\portreporter.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Klynne.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Search Current News - file://\program files\powershell-xp3\search5.htm
O8 - Extra context menu item: Search Encyclopedia - file://\program files\powershell-xp3\search4.htm
O8 - Extra context menu item: Search for Images - file://\program files\powershell-xp3\search3.htm
O8 - Extra context menu item: Search Newsgroups - file://\program files\powershell-xp3\search2.htm
O8 - Extra context menu item: Search the Web - file://\program files\powershell-xp3\search.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendsecure.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7540 bytes

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 13 July 2007 - 10:22 AM

after copying and pasting both txt files - a message from Grinler popped up telling me I was using the beta version and to download new version

Hmm, it shouldn't have done that. Could you do me a favor and click on my user name toward the top left of this post and choose Send Message. Copy and paste the two logs from DSS into the message and send it to me please.

In the meantime I'll be looking over the new HJT log, but I want to see the more extensive information from the DSS scans and will post them for you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 13 July 2007 - 12:14 PM

OK, here are the logs sent via PM--if this gets posted I will edit in some comments at the end of this post:

Deckard's System Scanner v20070711.54
Run by Klynne on 2007-07-13 at 09:28:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
38: 2007-07-13 14:28:41 UTC - RP41 - Deckard's System Scanner Restore Point
37: 2007-07-13 06:14:06 UTC - RP40 - Software Distribution Service 3.0
36: 2007-07-12 17:11:54 UTC - RP39 - System Checkpoint
35: 2007-07-09 21:34:46 UTC - RP38 - Restore Operation
34: 2007-07-09 01:09:02 UTC - RP37 - Installed Windows XP KB918118.


-- First Restore Point --
1: 2007-06-30 11:20:35 UTC - RP4 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Klynne.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-13 09:34:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16473)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\PortReporter\PortReporter.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\alg.exe
C:\Documents and Settings\Klynne\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Klynne.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O8 - Extra context menu item: Download FLV files in this page with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadFLV.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Search Current News - file://\program files\powershell-xp3\search5.htm
O8 - Extra context menu item: Search Encyclopedia - file://\program files\powershell-xp3\search4.htm
O8 - Extra context menu item: Search for Images - file://\program files\powershell-xp3\search3.htm
O8 - Extra context menu item: Search Newsgroups - file://\program files\powershell-xp3\search2.htm
O8 - Extra context menu item: Search the Web - file://\program files\powershell-xp3\search.htm
O9 - Extra button: (no name) - AutorunsDisabled - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - AutorunsDisabled - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra 'Tools' menuitem: (no name) - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O15 - Trusted Zone: http://www.bitdefender.com (HKCU)
O15 - Trusted Zone: http://onecare.live.com (HKCU)
O15 - Trusted Zone: https://*.update.microsoft.com (HKCU)
O15 - Trusted Zone: http://*.update.microsoft.com (HKCU)
O15 - Trusted Zone: http://download.microsoft.com (HKCU)
O15 - Trusted Zone: http://office.microsoft.com (HKCU)
O15 - Trusted Zone: http://www.pandasoftware.com (HKCU)
O15 - Trusted Zone: http://www.trendsecure.com (HKCU)
O15 - Trusted Zone: https://download.windowsupdate.com (HKCU)
O15 - Trusted Zone: http://download.windowsupdate.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\WRS.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - Unknown owner - "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\PortReporter.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe



-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 Dev_UNIDRV - c:\windows\system32\drivers\unidrv.sys <Not Verified; TwinSSoft Co.; ChipCfg/HWConfig NT direct hardware access driver>
R2 CDRPDACC (Quinnware CDDA Driver (by InfinaDyne)) - c:\program files\quintessential player\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 nxsIO32 (NextSensor Kernel I/O Driver) - c:\windows\system32\drivers\nxsio32.sys

S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICSer_WPC54G - c:\program files\linksys\wireless-g notebook adapter\nicserv.exe
R2 PortReporter (Port Reporter) - c:\program files\portreporter\portreporter.exe

S3 FontCache3.0.0.0 (Windows Presentation Foundation Font Cache 3.0.0.0) - c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe (file missing)
S4 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)
S4 idsvc (Windows CardSpace) - "c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe" (file missing)
S4 NetTcpPortSharing (Net.Tcp Port Sharing Service) - "c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe" (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-07-13 09:08:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-03 12:56:24 268 --ah----- C:\WINDOWS\Tasks\A7CB788B91B8F2C7.job


-- Files created between 2007-06-13 and 2007-07-13 -----------------------------

2007-07-13 05:44:11 0 dr-h----- C:\Documents and Settings\Klynne\Recent
2007-07-13 01:20:43 0 dr-h----- C:\$VAULT$.AVG
2007-07-09 16:36:14 0 d-------- C:\Program Files\CCleaner
2007-07-08 23:47:30 0 d-------- C:\Program Files\SWF Maestro SCR
2007-07-08 17:48:12 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-08 07:04:06 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-07-07 11:55:46 0 d-------- C:\Program Files\ZSoft
2007-07-07 00:01:36 14426112 --a------ C:\Documents and Settings\Klynne\ntuser.dat
2007-07-06 11:59:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-07-06 09:44:14 0 d-------- C:\Documents and Settings\Klynne\Application Data\AVG7
2007-07-06 09:43:55 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-07-06 09:43:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-05 12:47:30 0 d-ahs---- C:\WINDOWS\Repair
2007-07-04 03:45:13 0 d-------- C:\Program Files\Symantec
2007-07-04 03:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-07-04 02:55:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-07-04 01:30:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-07-03 17:36:54 15781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2007-07-03 17:36:53 45056 --a------ C:\WINDOWS\system32\WLTRYSVC.EXE
2007-07-03 17:36:53 110592 -----n--- C:\WINDOWS\system32\AegisI5.exe <Not Verified; ; AegisInstall Application>
2007-07-03 17:36:52 913408 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-07-03 16:52:43 0 d-------- C:\Program Files\Common Files\Funk Software
2007-07-03 09:15:48 0 d-------- C:\Program Files\Flash Catcher
2007-07-03 09:15:44 0 d-------- C:\Program Files\eMule
2007-07-03 09:15:44 0 d-------- C:\Program Files\eBay
2007-07-03 09:15:44 0 d-------- C:\Program Files\CD Audio Reader Filter
2007-07-03 09:15:42 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-07-03 09:13:44 0 d-------- C:\Program Files\IconViewer350
2007-07-02 16:22:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-07-02 06:28:57 0 d-------- C:\Documents and Settings\Klynne\Application Data\Moyea
2007-06-30 14:53:24 0 d-------- C:\Program Files\Funk Software
2007-06-30 14:51:47 0 d-------- C:\Program Files\Linksys
2007-06-30 10:34:29 0 d-------- C:\Program Files\Quick ShutDown
2007-06-30 07:19:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-06-30 07:19:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Talkback
2007-06-30 07:19:17 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2007-06-29 10:53:56 0 d-------- C:\WINDOWS\BDOSCAN8
2007-06-29 05:10:25 0 d-------- C:\WINDOWS\system32\Panda Software
2007-06-29 04:33:41 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-06-29 04:33:39 0 d-------- C:\Program Files\SpywareBlaster
2007-06-29 01:24:43 0 d-------- C:\Program Files\Safer Networking
2007-06-28 16:52:44 0 d-------- C:\Program Files\AxBx
2007-06-28 16:31:11 0 d-------- C:\Program Files\Digital Locker Assistant
2007-06-28 15:22:29 0 d-------- C:\{00002394-0000-0000-F93C-705AE0ED1386}
2007-06-28 04:14:41 0 d-------- C:\Program Files\PortReporter
2007-06-28 03:14:19 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-06-28 02:16:45 0 d-------- C:\Documents and Settings\Klynne\Application Data\IP Lookup v2.0
2007-06-28 01:39:17 0 d-------- C:\Program Files\WildPackets
2007-06-28 01:36:50 0 d-------- C:\Program Files\PingLookUp
2007-06-28 01:32:50 0 d-------- C:\Program Files\Softnik Technologies
2007-06-27 20:32:34 0 d-------- C:\Program Files\ACW
2007-06-23 10:48:22 0 d-------- C:\Program Files\Rosoft Free
2007-06-22 11:26:40 0 d-------- C:\Program Files\Trend Micro
2007-06-21 18:44:54 55 --a------ C:\WINDOWS\system32\cdcalcfull.dll
2007-06-21 16:06:14 0 d-------- C:\Program Files\RealMedia
2007-06-21 14:57:58 0 d-------- C:\Program Files\Vasilios Applications
2007-06-21 12:08:05 0 d-------- C:\Program Files\Video To Flash Encoder
2007-06-20 03:54:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-20 03:52:02 6080 --a------ C:\WINDOWS\system32\drivers\UNIDRV.SYS <Not Verified; TwinSSoft Co.; ChipCfg/HWConfig NT direct hardware access driver>
2007-06-20 00:45:11 0 d-------- C:\Documents and Settings\Klynne\Application Data\ImageBadger
2007-06-20 00:45:09 0 d-------- C:\Program Files\ImageBadger
2007-06-18 17:28:56 0 d-------- C:\Program Files\AmbulantPlayer-1.8
2007-06-18 05:29:40 0 d-------- C:\WINDOWS\speech
2007-06-18 02:01:10 0 d-------- C:\Program Files\Common Files\Solveig Multimedia
2007-06-18 02:01:09 0 d-------- C:\Program Files\Solveig Multimedia
2007-06-17 02:47:27 0 d-------- C:\Documents and Settings\Default User\Application Data\Tidy Start Menu
2007-06-17 02:44:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Tidy Start Menu
2007-06-17 02:08:40 0 d-------- C:\Program Files\Windows Desktop Search
2007-06-17 01:13:03 0 d-------- C:\Documents and Settings\Klynne\Application Data\mplayer
2007-06-17 01:07:59 0 d-------- C:\Program Files\MPlayer for Windows
2007-06-17 00:48:12 0 d-------- C:\Program Files\Free Window Registry Repair
2007-06-16 23:46:04 0 d-------- C:\Program Files\TextAloud
2007-06-15 15:34:31 0 d-------- C:\Program Files\Zards software
2007-06-15 11:21:53 0 d-------- C:\Documents and Settings\Klynne\SecurityScans
2007-06-15 11:20:59 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-06-14 11:02:02 0 dr-h----- C:\MSOCache
2007-06-13 17:23:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Zabersoft
2007-06-13 17:01:50 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2007-06-13 17:01:36 0 d-------- C:\WINDOWS\PrimoPDF
2007-06-13 17:01:36 0 d-------- C:\Program Files\activePDF
2007-06-13 01:15:11 32 --a------ C:\WINDOWS\hip


-- Find3M Report ---------------------------------------------------------------

2007-07-13 09:25:21 0 d-------- C:\Documents and Settings\Klynne\Application Data\DMCache
2007-07-08 07:04:10 8169 --a------ C:\WINDOWS\mozver.dat
2007-07-08 05:06:01 0 d-------- C:\Program Files\WMR11
2007-07-06 07:50:35 0 d-------- C:\Program Files\WM Recorder 10.2
2007-07-05 09:58:28 0 d-------- C:\Program Files\Inquisitor
2007-07-03 09:13:34 0 d-------- C:\Program Files\Windows Live Safety Center
2007-07-02 06:28:56 0 d-------- C:\Program Files\Moyea
2007-07-01 09:15:57 0 d-------- C:\Program Files\File Eraser
2007-07-01 05:30:50 0 d-------- C:\Program Files\Google
2007-06-30 20:33:26 0 d-------- C:\Documents and Settings\Klynne\Application Data\Orbit
2007-06-30 14:53:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-30 09:57:32 0 d-------- C:\Program Files\WebSite Downloader for Windows
2007-06-28 12:50:48 0 d-------- C:\Program Files\FrostWire
2007-06-28 12:49:09 0 d-------- C:\Program Files\BitTorrent
2007-06-21 10:54:43 0 d-------- C:\Documents and Settings\Klynne\Application Data\Macromedia
2007-06-20 10:29:29 0 d-------- C:\Program Files\Java
2007-06-19 08:23:10 0 d-------- C:\Program Files\kmp
2007-06-18 01:21:37 0 d-------- C:\Program Files\Common Files\Elecard
2007-06-17 06:21:07 0 d-------- C:\Program Files\EO Video
2007-06-14 12:28:34 0 d-------- C:\Program Files\DivX
2007-06-14 09:51:29 0 d-------- C:\Program Files\Messenger
2007-06-14 00:33:16 0 d-------- C:\Program Files\Freecorder
2007-06-13 23:57:20 0 d-------- C:\Program Files\Orbitdownloader
2007-06-13 22:26:59 0 d-------- C:\Documents and Settings\Klynne\Application Data\Help
2007-06-13 06:00:40 0 d-------- C:\Program Files\Any FLV Player
2007-06-12 20:55:23 0 d-------- C:\Program Files\PDFCreator
2007-06-12 19:27:02 0 d-------- C:\Program Files\Software by Design
2007-06-10 14:54:28 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-10 14:27:10 0 d-------- C:\Program Files\Flash Movie Player
2007-06-10 14:24:14 0 d-------- C:\Program Files\GodLikeMouse
2007-06-10 07:38:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-09 18:30:54 114688 --a------ C:\WINDOWS\system32\liclock.dll
2007-06-08 09:12:08 0 d-------- C:\Program Files\DupKiller
2007-06-07 06:59:25 0 d-------- C:\Program Files\CPU Eat 'n' Cool
2007-05-31 03:06:14 0 d-------- C:\Program Files\KC Softwares
2007-05-31 03:02:16 0 d-------- C:\Program Files\IVCsoft
2007-05-31 01:44:55 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-31 01:44:54 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-29 19:30:45 4096 --a------ C:\WINDOWS\d3dx.dat
2007-05-28 13:12:32 0 d-------- C:\Program Files\Planestate
2007-05-28 10:39:32 0 d-------- C:\Program Files\StickIt
2007-05-28 06:24:56 0 d-------- C:\Program Files\Fusion Media Player
2007-05-20 08:43:03 0 d-------- C:\Program Files\SamsonSoft
2007-05-20 08:07:28 0 d-------- C:\Program Files\MSBuild
2007-05-20 07:59:21 0 d-------- C:\Program Files\Reference Assemblies
2007-05-20 01:43:33 0 d-------- C:\Program Files\CinemaForge
2007-05-20 01:37:58 0 d-------- C:\Program Files\QO Labs
2007-05-19 16:40:05 0 d-------- C:\Program Files\Veoh Networks
2007-05-19 03:57:41 0 d-------- C:\Program Files\zeraha.org
2007-05-15 02:24:46 0 d-------- C:\Program Files\Anti-Leech
2007-05-14 23:11:20 74 --a------ C:\s7s
2007-05-14 23:11:20 74 --a------ C:\s3h8
2007-05-14 20:28:06 0 --a------ C:\Documents and Settings\Klynne\Application Data\output.txt
2007-05-13 19:55:17 0 d-------- C:\Program Files\Emsa DLL Register Tool
2007-05-10 02:46:06 74 --a------ C:\s1pc
2007-05-10 02:46:06 74 --a------ C:\s1h0
2007-05-02 06:50:35 80 --a------ C:\WINDOWS\sysdat.dll
2007-04-22 19:15:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-22 19:02:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-04-22 19:02:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-04-22 19:01:47 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Program Files\Internet Download Manager\IDMIECC.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"ATIModeChange"="Ati2mdxx.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload\AutorunsDisabled]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter.lnk]
"backup"="C:\\WINDOWS\\pss\\Wireless-G Notebook Adapter.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Linksys\\WIRELE~1\\Gcc.exe "
"item"="Wireless-G Notebook Adapter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-07-13 at 09:36:33 ---------



here is extra:

Deckard's System Scanner v20070711.54
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon™ XP 2500+
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 447.48 MiB / 127.89 MiB
Pagefile Memory (total/avail): 1054.6 MiB / 821.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1954.7 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 10.43 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.476 v7.5.476 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:LocalSubNet:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Klynne\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PERSONAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Klynne
LOGONSERVER=\\PERSONAL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Klynne\LOCALS~1\Temp
TMP=C:\DOCUME~1\Klynne\LOCALS~1\Temp
USERDOMAIN=PERSONAL
USERNAME=Klynne
USERPROFILE=C:\Documents and Settings\Klynne
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Klynne (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\WEBDELC.EXE -[WebCam Control
--> C:\WINDOWS\WEBDELC.EXE -[WebCam Monitor
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
AC3File (remove only) --> C:\Program Files\AC3File\uninstall.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced WindowsCare 2.51 Personal --> "C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"
ALShow --> "C:\Program Files\ESTsoft\ALShow\unins000.exe"
Amazing Bubbles 3D 1.1 --> "C:\WINDOWS\Amazing Bubbles 3D\unins000.exe"
Ambulant Player 1.8 for SMIL 2.1 --> C:\PROGRA~1\AMBULA~1.8\UNWISE.EXE C:\PROGRA~1\AMBULA~1.8\INSTALL.LOG
Any FLV Player 1.1.2 --> C:\Program Files\Any FLV Player\uninst.exe
AoA Audio Extractor 1.0 --> "C:\Program Files\AoA Audio Extractor\unins000.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AudioShell 1.3.5 --> "C:\Program Files\AudioShell\unins000.exe"
Audition --> C:\WINDOWS\SDUnInst.exe c:\program files\software by design\audition.uni
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BCM Wireless Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD Audio Reader Filter (remove only) --> "C:\Program Files\CD Audio Reader Filter\uninstall.exe"
CinemaForge --> C:\WINDOWS\system32\xmforgert.exe c:\program files\CinemaForge\UninstallCF.xmfg
Conexant SoftK56 Data Fax Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_2027161F\HXFSETUP.EXE -U -Iem20275.inf
CoreAVC Pro 1.3.0.0 --> "C:\Program Files\CoreAVC Pro\unins000.exe"
Creative WebCam Control --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\WebCam Control\DeIsL1.isu"
Creative WebCam Driver --> C:\WINDOWS\CtDrvIns.exe -uninstall USB\VID_041E&PID_400D -plugin P1001Pin.dll -pluginres P1001Pin.crl
Creative WebCam Manual (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam Manual\English\CTManual.isu"
Creative WebCam Monitor --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\WebCam Monitor\DeIsL1.isu"
Desktop Netstat 1.3a --> rundll32.exe advpack.dll,LaunchINFSectionEx C:\Program Files\Google\Google Desktop Search\Plugins\Desktop Netstat\DesktopNetstat.inf,DefaultUnInstall
Digital Locker Assistant --> MsiExec.exe /I{D01653EF-9F9F-41D6-B879-654A6BF5892C}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Drempels (remove only) --> "C:\Program Files\Drempels\uninst-drempels.exe"
dsSFV --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\dssfv.inf,Uninstall
DVD Decoder Pak for Windows XP --> MsiExec.exe /X{92C5DB3D-9D6F-4324-BB11-57825F4C2635}
EDXOR --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\edxor.inf,Uninstall
Elecard MPEG-2 Decoder&Streaming Plug-in for WMP --> "C:\Program Files\Elecard\Elecard MPEG-2 Decoder&Streaming Plug-in for WMP\Uninstall.exe" "C:\Program Files\Elecard\Elecard MPEG-2 Decoder&Streaming Plug-in for WMP\install.log" -u
Elecard XMuxer Pro --> "C:\Program Files\Elecard\Elecard XMuxer Pro 1.1\Uninstall.exe" "C:\Program Files\Elecard\Elecard XMuxer Pro 1.1\install.log"
Emsa DLL Register Tool 1.0 --> "C:\Program Files\Emsa DLL Register Tool\unins000.exe"
EO Video 1.36 --> C:\WINDOWS\iun6002.exe "C:\Program Files\EO Video\irunin.ini"
FastStone Capture 5.2 --> C:\Program Files\FastStone Capture\uninst.exe
FastStone Image Viewer 2.9 --> C:\Program Files\FastStone Image Viewer\uninst.exe
FastStone MaxView 2.0 --> C:\Program Files\FastStone MaxView\uninst.exe
FastStone Photo Resizer 2.4 --> C:\Program Files\FastStone Photo Resizer\uninst.exe
File Eraser 1.1.1.1 --> C:\Program Files\File Eraser\uninst.exe
FileAlyzer --> "C:\Program Files\Safer Networking\FileAlyzer\unins000.exe"
Flash Movie Player 1.5 --> C:\Program Files\Flash Movie Player\uninst.exe
Flash Saving Plugin --> "C:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
Free DVD MP3 Ripper 1.12 --> "C:\Program Files\Free DVD MP3 Ripper\unins000.exe"
Free RM to MP3 Converter 1.12 --> "C:\Program Files\Free RM to MP3 Converter\unins000.exe"
Free Video to Mp3 Converter version 2.3 --> "C:\Program Files\Free Video to Mp3 Converter\unins000.exe"
Free Window Registry Repair --> C:\PROGRA~1\FREEWI~1\UNWISE.EXE C:\PROGRA~1\FREEWI~1\INSTALL.LOG
Free WMA to MP3 Converter 1.16 --> "C:\Program Files\Free WMA to MP3 Converter\unins000.exe"
Freecorder 2.3 (with Skype Call Recording) --> C:\WINDOWS\iun6002.exe "C:\Program Files\Freecorder\irunin.ini"
GetFLV Pro 2.26 --> "C:\Program Files\GetFLV\unins000.exe"
gmms 0.0.1 --> "C:\Program Files\gmms\unins000.exe"
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Pack Screensaver --> C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HiNetRecorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C88386DE-0D91-4738-9ABD-A991D118A191}\Setup.exe"
Icon Viewer 3.5 --> "C:\Program Files\IconViewer350\unins000.exe"
ImageBadger Image Converter --> C:\Program Files\ImageBadger\uninstall.exe
InstallSpy 2.00 --> "C:\Program Files\MJLSoftware\InstallSpy\unins000.exe"
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\CDUninst.isu
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
IObit SmartDefrag Beta3 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
IP Address Lookup v2.0.092606 --> "C:\Program Files\Softnik Technologies\IP Address Lookup\unins000.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 2.88 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KC Softwares AVIToolbox --> "C:\Program Files\KC Softwares\AVIToolbox\unins000.exe"
KC Softwares VideoInspector --> "C:\Program Files\KC Softwares\VideoInspector\unins000.exe"
Lava Lamp 3.2.0.1 --> C:\Program Files\Lava Lamp\SXUNINST.EXE
Lavalamp Screensaver v1.2.0.0 (Demo Version) --> C:\WINDOWS\SXUNINST.EXE
LePlayer.com --> "C:\Program Files\leplayer\uninstall.exe"
Liquid Desktop 3D Screensaver Free --> C:\Program Files\Isotope244 Graphics\Liquid Desktop\uninst.exe
Magic Swf2Gif 1.35 --> "C:\Program Files\Magic Swf2Gif\unins000.exe"
MediaInfo 0.7.4.5 --> C:\Program Files\MediaInfo\uninst.exe
MediaInfo Lite 0.7.4.5 --> "C:\Program Files\MediaInfo Lite\unins000.exe"
Microsoft Baseline Security Analyzer 2.0.1 --> MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Media Video 9 VCM --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmv9vcm.inf, Uninstall
Moyea FLV to Video Converter version 1.4.1.0 --> "C:\Program Files\Moyea\Moyea FLV to Video Converter\unins000.exe"
Mozilla ActiveX Control v1.7.12 --> C:\Program Files\Mozilla ActiveX Control v1.7.12\uninst.exe
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.4) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MPlayer for Windows (Full Package) --> C:\Program Files\MPlayer for Windows\uninstall.exe
Multi Virus Cleaner 2007 --> "C:\Program Files\AxBx\Multi Virus Cleaner 2007\unins000.exe"
MV2Player (remove only) --> C:\Program Files\Mv2Player\uninst.exe
My Folder v1.0 --> "C:\Program Files\My Folder\unins000.exe"
nFLVPlayer --> "C:\Program Files\zeraha.org\nFLVPlayer\unins000.exe"
Odyssey Client --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{99D42EC7-652B-4819-B3E6-6450C815E03F}
Odyssey Client --> MsiExec.exe /qn /X{99D42EC7-652B-4819-B3E6-6450C815E03F}
OpD2d --> C:\WINDOWS\unvise32.exe C:\Program Files\OpD2d\uninstal.log
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
Orbit --> "C:\Program Files\Orbitdownloader\unins000.exe"
Panda NanoScan --> C:\WINDOWS\system32\Panda Software\NanoScan\nanounst.exe
Panda TotalScan --> C:\WINDOWS\system32\Panda Software\ActiveScan2\ascuninst.exe
PDFCreator --> C:\Program Files\PDFCreator\unins000.exe
PingLookUp --> "C:\Program Files\PingLookUp\uninstall.exe"
Pixelfusion WMP Plugin 1.50 --> "C:\Program Files\QO Labs\Pixelfusion WMP Plugin\unins000.exe"
Planestate --> C:\PROGRA~1\PLANES~1\UNWISE.EXE C:\PROGRA~1\PLANES~1\INSTALL.LOG
PowerShell-XP3 --> C:\Program Files\PowerShell-XP3\uninstall.exe
PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
Quick ShutDown --> C:\WINDOWS\unvise32.exe C:\Program Files\Quick ShutDown\uninstal.log
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Quintessential Player --> "C:\Program Files\Quintessential Player\uninst.exe"
RadarSync Engine (remove only) --> "C:\Program Files\RadarSync\Engine\Uninstall.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Riva FLV Player --> "C:\Program Files\Riva\Riva FLV Player\unins000.exe"
RM Downloader 2.7.1.600 2006.09.20 --> "C:\Program Files\RM Downloader\unins000.exe"
S.Y.M.P.A Version 3.276 --> C:\PROGRA~1\fever\SYMPA\Setup.exe /remove /q0
SDP Downloader --> MsiExec.exe /I{B547CB8D-549A-436E-97B5-E79F911B11E2}
SHOUTcast Source (remove only) --> "C:\Program Files\SHOUTcast Source\uninstall.exe"
SmartSWF 1.7 --> "C:\Program Files\cosmicsoft.lx.ro\SmartSWF\unins000.exe"
SolveigMM WMP Trimmer Plugin --> "C:\Program Files\Solveig Multimedia\SolveigMM WMP Trimmer Plugin\Uninstall.exe" "C:\Program Files\Solveig Multimedia\SolveigMM WMP Trimmer Plugin\install.log" -u
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SRS Audio Sandbox --> MsiExec.exe /X{7838752C-A838-4C73-849C-625C6114AF0C}
Starlight --> C:\PROGRA~1\STARLI~1\UNWISE.EXE C:\PROGRA~1\STARLI~1\INSTALL.LOG
Stream Explorer 1.0.3 --> "C:\Program Files\Rekenwonder Software\Stream Explorer\unins000.exe"
Streambox Vcr Suite 2 --> "C:\Program Files\StreamboxVcrSuite2\unins000.exe"
SUPER © Version 2007.bld.22 (Mar 14, 2007) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Superscape Viscape Universal --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Superscape\Viscape Universal\Uninst.isu"
SWF Opener --> "C:\Program Files\UnH Solutions\SWF Opener\unins000.exe"
Tidy Start Menu --> C:\Program Files\Tidy Start Menu\uninstall.exe
TMPGEnc Plus 2.524.63.181 --> "C:\Program Files\TMPGEnc Plus\unins000.exe"
Trend Micro TrendProtect for Firefox --> MsiExec.exe /X{E699EC58-B5A5-4C6A-9EA2-E22D52A80CD2}
Trend Micro TrendProtect for Internet Explorer --> MsiExec.exe /X{D5462C8A-D08C-4163-8293-82F2E11A2760}
TwinkleGL Screen Saver --> C:\WINDOWS\Uninstall.exe "C:\WINDOWS\install.log"
Ulead Photo Express 4.0 My Custom Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\SETUP.EXE"
UltraPlayer --> C:\Program Files\UltraPlayer\UPUnInst.exe RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7FF95D80-7FEA-11D3-BDE9-0050DA1AB3B9}\setup.exe" -uninst
URL Snooper v2.17.01 --> "C:\Program Files\URLSnooper2\unins000.exe"
Valex AC3-DTS codec (remove only) --> C:\Program Files\VAC3ACM\uninstall.exe
Veoh Player --> C:\Program Files\InstallShield Installation Information\{3D5A72E1-1467-4199-8CF6-12DA8D502A6B}\setup.exe -runfromtemp -l0x0409
Video mp3 Extractor --> "C:\Program Files\Video mp3 Extractor\unins000.exe"
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Webshots Desktop --> "C:\Program Files\Webshots\unins000.exe"
Webshots Toolbar --> C:\Program Files\Webshots\ToolbarUninstall.exe
WellGet --> C:\Program Files\WellGet\Uninstall.exe
WildPackets iNetTools 2.6.3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WildPackets\iNetTools\Uninst.isu"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Recorder --> C:\Program Files\Windows Media Recorder\WMR PRO 5.0\Uninstal.exe
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinPcap 4.0 --> C:\Program Files\WinPcap\uninstall.exe
WM Recorder + RM Recorder 10.21 --> C:\WINDOWS\iun6002.exe "C:\Program Files\WM Recorder 10.2\irunin.ini"
WM Recorder 11.2 --> C:\Program Files\WMR11\Uninstal.exe
WM Recorder 11.3 --> C:\Program Files\WMR11\Uninstal.exe
Wondershare Video To Flash Encoder --> "C:\Program Files\Video To Flash Encoder\unins000.exe"
XML Paper Specification Shared Components Pack 1.0 -->
xp-AntiSpy 3.96-4 --> C:\Program Files\xp-AntiSpy\Uninstall.exe
XVid;-) --> C:\Program Files\XVid;-)\Uninstall.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Yahtzee --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
YouTube Downloader 2.11 --> "C:\Program Files\FDRLab\YouTube Downloader\unins000.exe"


-- End of Deckard's System Scanner: finished at 2007-07-13 at 09:36:33 ---------

Edit: Well that worked. Was this the same log you tried to post earlier or did you run DSS a second time? Either way, this log shows that the new version of HJT wasn't downloaded as I intended, but we can figure out what happened later.

Give me some time to look this over and I will post back with instructions for you.

Edited by Papakid, 13 July 2007 - 12:23 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 klynne66

klynne66
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 13 July 2007 - 12:30 PM

yes these are original posts I tried earlier. Also I followed your instructions to the t...so I'm definately not sure whats goin on. Any help you can offer will be most graciously appreciated. I just know things aren't right.

Thanks again

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 AM

Posted 14 July 2007 - 10:00 PM

My apologies for the long wait. The logs are very complex, more than usual, so takes some time to look thru and research. Plus I'm not known for being fast.

I have to say tho that the more I look at this and reading your original description that I believe your best option is to wipe your hard drive and re-install windows after backing up your critical data. It appears to me that your system is so badly compromised that trying to clean it is an exercise in futility. Most of your log appears to be legit, but the few files that are suspicious are not very well documented and could be too stealth to deal with easily.

If you would like for me to try to help you clean up some more I will give it a try, but there are no guarantees here. There have been a lot of changes made since your first log and some of it is confusing. The following I need to know if these are things you have done yourself or not.

1. There are several folders that have been created recently along with programs that I am not familiar with that are installed. They do mostly look legit, but it is nearly impossible for me to research each one for possible trojans. I like to play with new software myself, but it you are a software reviewer or collector please let me know. Look thru the DSS logs under Files created between 2007-06-13 and 2007-07-13 and Find3M Report, especially the directory's and tell me which ones are not familiar to you that you didn't put there yourself. I've looked thru most of the files, so don't worry about them yet.

One file you can delete is the following leftover from a LOP infection:

C:\WINDOWS\Tasks\A7CB788B91B8F2C7.job

Also look under the Add/Remove Programs section of the log and let me know if there are any programs in there you didn't add yourself or are unfamiliar with. Adding a lot of programs at a time is not a good idea because if one causes a problem or contains a trojan then it is harder to tell which is to blame.

2. Several startups have been disabled by Autoruns. Before you run anything I ask you to that produces a log, re-enable everything in there so I can see what they are. It looks like most of them are legit from what is missing from your first log, but I can't tell for sure what might need to be deleted.

3. Security programs are disabled or missing. Did you disable Spybot's TeaTimer and Windows Defender yourself? Any others? If so and you have an infection you're shooting yourself in the foot--you need to increase protection, not disable. Altho the two I mentioned are OK to leave disabled while we clean up as they may interfere with cleaning up of the registry.

DSS shows the Windows firewall enabled but Sygate no longer installed. Sygate has gotten outdated and I would recommend a switch anyway, but I recommend installing a third party software firewall in order to block outgoing packets. AFAIK Port Reporter is OK to monitor ports but is not meant to replace a firewall as it will be too late to block packets by looking at the logs after the fact.

Comodo makes a nice firewall that is being kept current so I suggest you download and install it for now: Comodo

Now if you want to continue cleaning please do the following:

Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.
I see you have CCleaner installed. Boot back into safe mode and run it to clean out temp files and be sure to clear Java as well. Leave the Issues button alone for now. When done boot back into normal mode.

Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.


Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press a key and the FindAWF tool will begin scanning your computer.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically be saved to your desktop or whatever location you ran the file from.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Scan again with HijackThis 2.0.2 and post another log along with the other log and information I've asked for.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users