Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).
2 Pages V   1 2 >  
 Closed TopicStart new topic
I have military time and virus alert on taskbar [CLOSED], I've tried all kinds of spyware removal and nothing.
jf2008
post Jul 30 2008, 08:59 AM
Post #1


Member
**
Posts: 24
OS: xp
I have a virus that won't let me change the background...
has military time on task bar with "virus alert!" in all caps...
after a while it'll go dormant and reboots and shuts off every 60 seconds ( more or less ).
Go to the top of the page
 
+Quote Post
Jimmy2012
post Jul 30 2008, 11:07 AM
Post #2


Trusted Helper
Group Icon
Posts: 2,785
From: Ohio, USA
OS: linux, Windows XP
Hello jf2008 and welcome to Geeks to Go,

Please read this topic, and post your logs back in this topic when you are done.
Go to the top of the page
 
+Quote Post
jf2008
post Jul 30 2008, 07:12 PM
Post #3


Member
**
Posts: 24
OS: xp
Hi,
I downloaded Stopzilla and ran it.
Man, what a change. I also followed instructions on how to manually change the military time... It worked.
After running Stopzilla everything's pretty much back to normal....except..

Every once in a while I'm getting this red outline ad with " Warning! Severe System Errors Detected!
The application has detected 0 Severe System Errors on your computer.

It has a "Repair Now" on the bottom right.

It's got a tiny white "x" on the top right. I click it and it goes away for about 40 minutes.


Other than this we can now log in to our emails ... check out the internet..
That sort of thing. Is there any software or instructions to identify this little red ad.
Go to the top of the page
 
+Quote Post
Jimmy2012
post Jul 30 2008, 11:05 PM
Post #4


Trusted Helper
Group Icon
Posts: 2,785
From: Ohio, USA
OS: linux, Windows XP
Hello jf2008,
Please read the link that I gave you in my first reply, and post the logs back here. smile.gif
Go to the top of the page
 
+Quote Post
jf2008
post Jul 31 2008, 07:49 AM
Post #5


Member
**
Posts: 24
OS: xp
Hi Jimmy2012,
jf2008 here, Please forgive me... I'm relatively new at this. I can follow directions but sometimes I get a little lost.
I downloaded hijack this and ran it. this is the log I recieved.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:30, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\sj652\hpupdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ares Ultra\Ares Ultra.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
O3 - Toolbar: (no name) - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iPodConverterSuite_upgrade] "C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" /upgrade
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\tjipufhh.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O4 - HKCU\..\Run: [ares ultra] C:\Program Files\Ares Ultra\Ares Ultra.exe -h
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O21 - SSODL: evgratsm - {FFCD4999-BE62-468A-AF28-C2CA423682F6} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8808 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks. Jf2008
Go to the top of the page
 
+Quote Post
Jimmy2012
post Jul 31 2008, 12:59 PM
Post #6


Trusted Helper
Group Icon
Posts: 2,785
From: Ohio, USA
OS: linux, Windows XP
Hello jf2008,
QUOTE
Please forgive me... I'm relatively new at this. I can follow directions but sometimes I get a little lost.

Thats no problem, if you have any questions or just not sure about something please feel free to ask. smile.gif

I did not see any anti-virus software on your computer. Without any anti-virus software you can get a virus more easily. I recommend that you should download a anti-virus program. Here are two to choose from(both of them are free).
AntiVir
AVG
Out of these two I would recommend AntiVir. Please only install one anti-virus on your computer at a time. Running more then one at a time can cause conflicts and can also slow your computer down. If you need any help installing one please let me know.

Also I did not see a Firewall on your computer. A firewall can help protect you from Hackers and some types of Malware. I recommend you download a firewall. Here are a few to chose from(all are free).
Comodo
Zone Alarm
OutPost
Out of these I would recommend Comodo, please only install one firewall at a time. If you need any help installing/using one of these firewalls please let me know.

Please rename HijackThis.exe to Flipper.exe. To rename a file, right click on the file and click rename.

STEP 1
I see that you have a P2P(Peer to Peer) program on your computer.While the program it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following program.(if you do not want to remove the P2P program please skip this step and go to the next one)

Please click start>control panel>add/remove programs. And remove the following programs(if present)Also remove any other P2P programs you may have.
Ares

Once you have done that please remove following folder(if present)
C:\Program Files\Ares Ultra

STEP 2
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum

STEP 3
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

~~~~~~~~~~
In your next reply please have these logs.
The SDFix log
And the DSS main.txt and extra.txt
Go to the top of the page
 
+Quote Post
jf2008
post Jul 31 2008, 04:25 PM
Post #7


Member
**
Posts: 24
OS: xp
HI Jimmy2012,

I did step 1 = remove ares, ares tube Plus folders.

I did step 2 = I ran SDFIX and this is the report. I forget I had Stopzilla running and it sort of interfered a little.
I interupted Stopzilla and it continued with the process.
I'm starting Step 3 now.

================================================================

SDFix: Version 1.210
Run by JF1954 on Thu 07/31/2008 at 02:59

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFIX\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Service AdvPowerMgmt - Deleted
Service asc3550p - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HPGREG32.DLL - Deleted
C:\WINDOWS\SYSTEM32\HPSJ32.DLL - Deleted
C:\WINDOWS\SYSTEM32\HPSJVSET.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEAPI12.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEBAS~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEIST~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFCMP70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFFAX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFFPX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFGIF70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFPCX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFPNG70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFTIF70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LTFIL70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LTKRN70N.DLL - Deleted
C:\WINDOWS\cuawsppw\1.png - Deleted
C:\WINDOWS\cuawsppw\2.png - Deleted
C:\WINDOWS\cuawsppw\3.png - Deleted
C:\WINDOWS\cuawsppw\4.png - Deleted
C:\WINDOWS\cuawsppw\5.png - Deleted
C:\WINDOWS\cuawsppw\6.png - Deleted
C:\WINDOWS\cuawsppw\7.png - Deleted
C:\WINDOWS\cuawsppw\8.png - Deleted
C:\WINDOWS\cuawsppw\9.png - Deleted
C:\WINDOWS\cuawsppw\bottom-rc.gif - Deleted
C:\WINDOWS\cuawsppw\config.png - Deleted
C:\WINDOWS\cuawsppw\content.png - Deleted
C:\WINDOWS\cuawsppw\download.gif - Deleted
C:\WINDOWS\cuawsppw\frame-bg.gif - Deleted
C:\WINDOWS\cuawsppw\frame-bottom-left.gif - Deleted
C:\WINDOWS\cuawsppw\frame-h1bg.gif - Deleted
C:\WINDOWS\cuawsppw\head.png - Deleted
C:\WINDOWS\cuawsppw\icon.png - Deleted
C:\WINDOWS\cuawsppw\indexwp.html - Deleted
C:\WINDOWS\cuawsppw\main.css - Deleted
C:\WINDOWS\cuawsppw\memory-prots.png - Deleted
C:\WINDOWS\cuawsppw\net.png - Deleted
C:\WINDOWS\cuawsppw\pc.gif - Deleted
C:\WINDOWS\cuawsppw\pc-mag.gif - Deleted
C:\WINDOWS\cuawsppw\poloska1.png - Deleted
C:\WINDOWS\cuawsppw\poloska2.png - Deleted
C:\WINDOWS\cuawsppw\poloska3.png - Deleted
C:\WINDOWS\cuawsppw\promowp1.html - Deleted
C:\WINDOWS\cuawsppw\promowp2.html - Deleted
C:\WINDOWS\cuawsppw\promowp3.html - Deleted
C:\WINDOWS\cuawsppw\promowp4.html - Deleted
C:\WINDOWS\cuawsppw\promowp5.html - Deleted
C:\WINDOWS\cuawsppw\reg.png - Deleted
C:\WINDOWS\cuawsppw\repair.png - Deleted
C:\WINDOWS\cuawsppw\scr-1.png - Deleted
C:\WINDOWS\cuawsppw\scr-2.png - Deleted
C:\WINDOWS\cuawsppw\start.png - Deleted
C:\WINDOWS\cuawsppw\styles.css - Deleted
C:\WINDOWS\cuawsppw\top-rc.gif - Deleted
C:\WINDOWS\cuawsppw\vline.gif - Deleted
C:\WINDOWS\cuawsppw\wp.png - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt10C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt126.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt128.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt12D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt133.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt135.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt137.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt18.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt20.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt22.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt24.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt26.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt27.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt28.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt29.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2E.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2F.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt31.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt9A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttF.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\tmp43.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\tmp46.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\s1265.php - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\software.php - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\software.php.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\vistasp1.exe - Deleted
C:\WINDOWS\conf.inf - Deleted
C:\WINDOWS\Config\csrss.exe - Deleted
C:\WINDOWS\ky.sxc - Deleted
C:\WINDOWS\msa64chk.dll - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 17:05:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\wincmd\\WINCMD32.EXE"="C:\\wincmd\\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Disabled:WinDVD"
"C:\\Yahoo!\\Messenger\\YPager.exe"="C:\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Yahoo!\\Messenger\\YServer.exe"="C:\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe"="C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe:*:Enabled:hotCommCL"
"C:\\Program Files\\OUGOMessenger\\main.exe"="C:\\Program Files\\OUGOMessenger\\main.exe:*:Enabled:OUGO Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Enabled:Ares Ultra p2p for windows"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Disabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Disabled:McAfee Data Backup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Oct 2006 209 A.SHR --- "C:\BOOT.BAK"
Mon 25 Jun 2007 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 22 May 2008 1,522,387 A.SH. --- "C:\WINDOWS\system32\spkpygda.tmp"
Fri 28 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 25 Jun 2007 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Fri 28 Jul 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Mon 25 Jun 2007 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 2 Apr 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Sat 28 Jul 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Sat 28 Jul 2007 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Sat 27 Oct 2007 24,064 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL0001.tmp"
Sun 9 Dec 2007 24,064 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL0454.tmp"
Wed 19 Dec 2007 95,928,832 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL1421.tmp"
Wed 3 Jan 2007 26,112 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL2510.tmp"
Wed 19 Dec 2007 95,927,808 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL2585.tmp"
Wed 3 Jan 2007 25,600 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL3204.tmp"
Wed 3 Jan 2007 28,160 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL3856.tmp"
Wed 18 Jun 2003 53,248 A..H. --- "C:\Documents and Settings\jf1954.YOUR-9K1AY6X2A2\Start Menu\Programs\Startup\AutoTBar.exe"

Finished!
Go to the top of the page
 
+Quote Post
jf2008
post Jul 31 2008, 04:47 PM
Post #8


Member
**
Posts: 24
OS: xp
Jimmy2012,
Here's the Maint.txt
===================

Deckard's System Scanner v20071014.68
Run by JF1954 on 2008-07-31 17:41:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2008-07-31 22:41:46 UTC - RP19 - Deckard's System Scanner Restore Point
18: 2008-07-31 22:39:42 UTC - RP18 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
17: 2008-07-31 19:19:32 UTC - RP17 - Avira AntiVir Personal - 7/31/2008 14:19
16: 2008-07-31 02:29:41 UTC - RP16 - Avira AntiVir Personal - 7/30/2008 21:29
15: 2008-07-31 01:32:19 UTC - RP15 - Avira AntiVir Personal - 7/30/2008 20:31


-- First Restore Point --
1: 2008-07-23 00:31:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JF1954.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:29, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\sj652\hpupdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\JF1954\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JF1954.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} - C:\WINDOWS\system32\ljJYOeFy.dll (file missing)
O2 - BHO: (no name) - {21C63899-6532-40D7-8379-7ED788B98D28} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {45931b96-a520-d10a-5b54-6ef1d2fc5cb6} - {6bc5cf2d-1fe6-45b5-a01d-025a69b13954} - C:\WINDOWS\system32\mzxlng.dll
O2 - BHO: (no name) - {6C7D8557-73CE-4AC8-89C0-96B8BA4BB668} - (no file)
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B86749C-DEC9-424F-B2A3-1F55270962FD} - C:\WINDOWS\system32\opnlKBqp.dll
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {DC3710DC-8B5F-4087-AFCD-E0973218444D} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
O3 - Toolbar: (no name) - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iPodConverterSuite_upgrade] "C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" /upgrade
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\tjipufhh.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: ljJCrPJB - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 9339 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 EvcapMaui (Emuzed EvcapMaui Device) - c:\windows\system32\drivers\evcapmau.sys <Not Verified; Emuzed, Inc.; Emuzed Maui>
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Not Verified; LT; LT V.92 Data+Fax Modem Version 8.28>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal - Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-28 07:24:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-10 08:47:00 336 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY3813N41D7A.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 14:51:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-31 14:21:32 0 d-------- C:\Program Files\Avira
2008-07-31 14:21:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-30 20:43:24 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Adobe
2008-07-30 20:27:18 4350 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-30 20:26:27 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-30 20:26:27 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-30 20:26:27 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-30 20:26:27 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-30 20:26:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-30 20:26:27 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-30 20:26:27 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-30 20:26:27 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-30 19:01:50 0 d-------- C:\Documents and Settings\JF1954\Application Data\Recordpad
2008-07-30 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\NCH Swift Sound
2008-07-30 19:01:31 0 d-------- C:\Program Files\NCH Software
2008-07-30 19:01:27 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-29 18:27:44 120448 --a------ C:\WINDOWS\system32\mzxlng.dll
2008-07-29 18:27:43 120448 --a------ C:\WINDOWS\system32\uoeecuoi.dll
2008-07-29 18:22:07 695553 --ahs---- C:\WINDOWS\system32\pqBKlnpo.ini2
2008-07-29 18:22:00 323584 --a------ C:\WINDOWS\system32\opnlKBqp.dll
2008-07-28 14:48:10 0 d-------- C:\Program Files\Albatross
2008-07-28 08:48:05 0 d-------- C:\Program Files\Lavasoft
2008-07-27 19:18:48 0 dr-h----- C:\Documents and Settings\JF1954\Recent
2008-07-27 13:59:13 635243 --ahs---- C:\WINDOWS\system32\AIPrAcdd.ini2
2008-07-25 16:47:37 116352 --a------ C:\WINDOWS\system32\pgzlhz.dll
2008-07-25 16:47:33 116352 --a------ C:\WINDOWS\system32\wnpnuyym.dll
2008-07-25 16:14:28 116352 --a------ C:\WINDOWS\system32\awsrpt.dll
2008-07-25 16:14:22 116352 --a------ C:\WINDOWS\system32\mvktdbye.dll
2008-07-25 16:02:23 0 d-------- C:\Program Files\USS
2008-07-25 16:02:21 0 --a------ C:\END
2008-07-23 21:53:31 877472 --ahs---- C:\WINDOWS\system32\lTDNonmp.ini2
2008-07-23 21:26:30 0 d-------- C:\Documents and Settings\JF1954\Application Data\Simply Super Software
2008-07-23 18:12:41 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SACore
2008-07-22 12:35:06 0 d-------- C:\Documents and Settings\JF1954\Application Data\TmpRecentIcons
2008-07-22 09:56:41 0 d-------- C:\photoshopplugins
2008-07-21 10:36:35 0 d-------- C:\WINDOWS\Splash Screens
2008-07-19 15:26:44 0 d-------- C:\Documents and Settings\JF1954\Application Data\MP3toiPodAudioBookConverter
2008-07-19 15:20:41 0 d-------- C:\Program Files\MP3ToIpodAudioBookConverter
2008-07-18 17:26:50 0 d-------- C:\Program Files\Duplicate Music Files Finder
2008-07-18 15:21:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\TuneUpMedia
2008-07-18 15:21:06 0 d-------- C:\Program Files\TuneUpMedia
2008-07-18 15:20:54 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUpMedia
2008-07-18 11:14:46 0 d-------- C:\Program Files\PowerISO
2008-07-18 11:13:45 0 d-------- C:\poweriso
2008-07-17 18:42:39 0 d-------- C:\audiobooks
2008-07-17 17:46:55 0 d-------- C:\Documents and Settings\JF1954\Application Data\McAfee
2008-07-17 17:15:52 433664 --a------ C:\ipodpatcher.exe
2008-07-17 17:15:52 13899776 --a------ C:\Firmware.bin
2008-07-07 02:40:49 56108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Find3M Report ---------------------------------------------------------------

2008-07-31 17:40:04 0 d-------- C:\Program Files\STOPzilla!
2008-07-31 08:44:52 0 d-------- C:\Program Files\Trend Micro
2008-07-30 19:08:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Lavasoft
2008-07-30 19:08:18 0 d-------- C:\Program Files\Common Files
2008-07-30 19:06:44 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-30 19:05:41 0 d-------- C:\Program Files\WorldMerge
2008-07-30 17:39:14 0 d-------- C:\Documents and Settings\JF1954\Application Data\SeekmoToolbar
2008-07-25 16:23:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\Azureus
2008-07-18 15:21:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Mozilla
2008-07-18 15:21:17 0 d-------- C:\Program Files\iTunes
2008-07-18 10:37:56 0 d-------- C:\Program Files\Xilisoft
2008-07-18 08:38:41 0 d-------- C:\Program Files\Winamp
2008-07-16 10:56:07 1 --a------ C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini
2008-07-15 18:23:30 181 --a------ C:\WINDOWS\system32\MSXGGBDRIVER.DLL
2008-07-10 18:58:00 0 d-------- C:\Program Files\Solveig Multimedia
2008-07-04 15:04:40 0 d-------- C:\Program Files\Azureus
2008-07-03 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\Adobe
2008-06-29 12:21:14 0 d-------- C:\Program Files\Bonjour
2008-06-29 12:21:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 12:02:35 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-27 07:42:47 0 d-------- C:\Program Files\Acoustica CD Label Maker
2008-06-26 16:54:13 0 d-------- C:\Program Files\WorldCast
2008-06-25 13:40:30 0 d-------- C:\Program Files\MailBoy 2004
2008-06-25 10:29:16 0 d-------- C:\Program Files\Total Training
2008-06-20 18:58:46 0 d-------- C:\Program Files\Free Submitter Pro
2008-06-20 10:38:00 0 d-------- C:\Program Files\Gallery Wizard
2008-06-01 15:03:31 1523778 --ahs---- C:\WINDOWS\system32\spkpygda.ini2
2008-05-21 00:07:10 909291 --ahs---- C:\WINDOWS\system32\MnnTwGgh.ini2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}]
C:\WINDOWS\system32\ljJYOeFy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21C63899-6532-40D7-8379-7ED788B98D28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bc5cf2d-1fe6-45b5-a01d-025a69b13954}]
07/29/2008 06:27 120448 --a------ C:\WINDOWS\system32\mzxlng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C7D8557-73CE-4AC8-89C0-96B8BA4BB668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702EA91C-1ACF-4772-8078-18F2B2EE1031}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B86749C-DEC9-424F-B2A3-1F55270962FD}]
07/29/2008 06:22 323584 --a------ C:\WINDOWS\system32\opnlKBqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC3710DC-8B5F-4087-AFCD-E0973218444D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/04/2004 12:56]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Update 3400C"="C:\sj652\hpupdate.exe" [02/01/2002 02:33]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04/11/2003 03:25]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/28/2003 09:43]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [05/21/2003 06:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/2001 04:54]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"iPodConverterSuite_upgrade"="C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" [11/29/2007 03:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20]
"USS"="C:\Program Files\USS\USS.exe" []
"f0c81030"="C:\WINDOWS\system32\tjipufhh.dll" []
"BMf3fb23ac"="C:\WINDOWS\system32\dwacphgc.dll" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [01/06/2005 08:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07/16/2007 03:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}"= C:\WINDOWS\system32\ljJYOeFy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrPJB]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnlKBqp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-07-31 17:44:17 ------------

=======================
Here's the Extra.txt
=======================
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 511.29 MiB / 146.71 MiB
Pagefile Memory (total/avail): 1249.83 MiB / 871.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1953.98 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 106.58 GiB total, 50.58 GiB free.
D: is Fixed (FAT32) - 5.19 GiB total, 0.88 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
U: is Removable (No Media)
V: is Removable (No Media)
W: is Removable (No Media)
X: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200AB-00DYA0 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 5.2 GiB - D:
\PARTITION1 (bootable) - Installable File System - 106.58 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.)
AV: Avira AntiVir PersonalEdition v8.0.1.26 (Avira GmbH) Outdated
AV: Trend Micro PC-cillin Internet Security 2007 v15.00.1329 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\wincmd\\WINCMD32.EXE"="C:\\wincmd\\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Disabled:WinDVD"
"C:\\Yahoo!\\Messenger\\YPager.exe"="C:\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Yahoo!\\Messenger\\YServer.exe"="C:\\Yahoo!\\Messenger\\YServer.exe: