Trojan and Worm infections [CLOSED], BackDoor.Generic4.TWL, Worm/Delf.ATB, p2pnetworking.exe |
Quickly register. Takes only a minute, and it's free. Start a new topic. Ask your question. Wait for an email reply. Infected? View malware cleaning guide »
|
|
|
  |
 Aug 30 2007, 12:54 AM
Post
#1
|
|
|
New Member  Posts: 3 OS: xp pro  |
First....thank you for any assistance you can offer. The work that volunteers like you are doing is very much appreciated!
Yesterday I noticed that my computer was strained to the limit with just minimal tasks. Unable to open Task Manager or even a command prompt to see what might be using the resources, I rebooted. That's when the real trouble started. The computer just ran at max until I had to hold down the power button to turn it off. Finally able to force open the Task Manager, I saw the p2pnetworking.exe which didn't look familiar, researched it, and found out it's bad news. After using AVG in an attempt to remove it, I found that my PC was infected with BackDoor.Generic4.TWL, Worm/Delf.ATB, although the p2pnetworking.exe did not show up in the list of infected items or the log file. I found registry keys for it in the registry and removed them but it's back with every reboot. Obviously I'm missing some parts of it somewhere. Killbox finally was able to get rid of it just long enough that I was able to (very slowly) take further steps. I've carefully followed your instructions about the required things to do: ATF Cleaner - left all boxes checked and deleted everything it discovered. System Restore - Created a new restore point and deleted all others. AVG Anti-Spyware - Used the settings outlined and followed the steps to scan exactly. A few items were found and quarantined as directed. However, under Reports it states there no reports available. SuperAntiSpyware - Ran this scan and posted the log below. PandaScan - Attempted numerous times to run this scan but it kept stopping with errors. AVG - I already had this installed on my computer so this was the first thing I tried....can also post the entire log if requested. Only the BackDoor.Generic4.TWL, Worm/Delf.ATB, p2pnetworking.exe were found, though in multiple instances. Windows Update - My computer shipped with SP2 on it so just ran the updates. HijackThis - See log below. After each of these steps I noticed a slight improvement to the computer's performance. Now on reboot it takes about 15 minutes for the computer to stop straining incessantly (this really is an improvement!) but when I attempt to open any program, even a browser window, it starts overworking again and the task takes several minutes. Again, any suggestions or help you can offer is very gratefully appreciated. I'd offer you my firstborn but he's 30  HijackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:00:54 PM, on 8/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\hp\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Trend Micro\Internet Security 2007\tsc.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hudsonbusiness.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.roboform.net/dist/AiRoboForm.exe F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\hp\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\imaging\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: AutorunsDisabled O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: AutorunsDisabled O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm O8 - Extra context menu item: Post To &Nucleus (RV Sisters) - http://rvsisters.com/talk/nucleus/bookmark...de&blogid=1 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O15 - Trusted Zone: *.stumbleupon.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143337220171 O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...oke/Coupons.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\armhelper.ocx O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?326 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS1\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS2\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe -- End of file - 10586 bytes --------------------------------------- SuperAntiSpyware Log SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/29/2007 at 06:42 PM Application Version : 3.9.1008 Core Rules Database Version : 3294 Trace Rules Database Version: 1305 Scan type : Complete Scan Total Scan Time : 08:01:07 Memory items scanned : 401 Memory threats detected : 0 Registry items scanned : 6563 Registry threats detected : 22 File items scanned : 262694 File threats detected : 10 Adware.IWinGames HKLM\Software\Classes\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32#ThreadingModel HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP1123\A0083906.DLL Adware.Tracking Cookie C:\Documents and Settings\Sandi\Cookies\sandi@revsci[2].txt C:\Documents and Settings\Sandi\Cookies\sandi@atwola[1].txt C:\Documents and Settings\Sandi\Cookies\sandi@2o7[1].txt C:\Documents and Settings\Sandi\Cookies\sandi@brightcove.112.2o7[1].txt C:\Documents and Settings\Sandi\Cookies\sandi@questionmarket[1].txt C:\Documents and Settings\Sandi\Cookies\sandi@specificclick[2].txt Adware.MovieLand/MediaPipe HKLM\Software\MediaPipe HKLM\Software\MediaPipe\Prefs HKLM\Software\MediaPipe\Prefs#version HKLM\Software\MediaPipe\Prefs#AltPayments HKLM\Software\MediaPipe\Prefs#ProductFamily HKLM\Software\MediaPipe\Prefs#Country HKLM\Software\MediaPipe\Prefs#Provider HKLM\Software\MediaPipe\Prefs#TRAFFIC_COUNTRY HKLM\Software\MediaPipe\Prefs#TRAFFIC_PROGRAM HKLM\Software\MediaPipe\Prefs#TRAFFIC_SOURCE HKLM\Software\MediaPipe\Prefs#TRAFFIC_SUBSOURCE HKLM\Software\MediaPipe\Prefs#JOIN_FORM_ID HKLM\Software\MediaPipe\Prefs\altpayments HKLM\Software\MediaPipe\Prefs\altpayments#Provider Adware.IST/SideFind C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE92E4DB9-8805-42DF-858E-DC2D58\6BEE6B21-60F2-4207-AFAF-CDA6B2 Adware.Spyware Labs C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\7D750A65-F96E-45F6-A192-3F1DA3\B3A4AF86-3FA1-49E5-A119-2E88C5 ----------------------------------------- This post has been edited by sandihudson: Aug 30 2007, 01:10 AM |
 |
 
|
|
Aug 30 2007, 04:04 PM
Post
#2
|
|
 Trusted Helper  Posts: 1,991 OS: Windows XP |
Hi sandihudson,
Welcome to Geeks to Go! Sorry for the delay, but as you can see things are rather busy around here. My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.  ---------------------------------------------------------------- Please download Deckard's System Scanner (DSS) to your Desktop.
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus) Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply. ---------------------------------------------------------------- Information to include in your next post:
|
|
|
|
|
Aug 30 2007, 04:34 PM
Post
#3
|
|
|
New Member Posts: 3 OS: xp pro |
Stamper19,
Thank you so much for taking on this task! It's only been a few hours since I posted and your response was actually much faster than I had expected. What great service! Below are the log files from DSS: Deckard's System Scanner v20070826.66 Run by Sandi on 2007-08-30 15:21:46 Computer is in Normal Mode.-------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 4 Restore Point(s) -- 4: 2007-08-30 22:21:57 UTC - RP1126 - Deckard's System Scanner Restore Point 3: 2007-08-30 05:26:09 UTC - RP1125 - Software Distribution Service 3.0 2: 2007-08-29 17:34:27 UTC - RP1124 - Installed SUPERAntiSpyware Free Edition 1: 2007-08-29 07:06:10 UTC - RP1123 - 8292007 1205am Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Sandi.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 03:24:16 PM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\hp\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Documents and Settings\Sandi\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Sandi.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hudsonbusiness.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.roboform.net/dist/AiRoboForm.exe F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\hp\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\imaging\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: AutorunsDisabled O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: AutorunsDisabled O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm O8 - Extra context menu item: Post To &Nucleus (RV Sisters) - http://rvsisters.com/talk/nucleus/bookmark...de&blogid=1 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O15 - Trusted Zone: *.stumbleupon.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143337220171 O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...oke/Coupons.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\armhelper.ocx O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?326 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS1\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS2\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe -- End of file - 10474 bytes -- File Associations ----------------------------------------------------------- .txt - txtfile - DefaultIcon - C:\Utilities\EditPad.exe,0 .txt - txtfile - shell\open\command - C:\Utilities\EditPad.exe "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver> R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware> S4 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318} Description: PS/2 Compatible Mouse Device ID: ACPI\PNP0F13\4&369939D9&0 Manufacturer: Microsoft Name: PS/2 Compatible Mouse PNP Device ID: ACPI\PNP0F13\4&369939D9&0 Service: i8042prt Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Trend Micro Common Firewall Miniport Device ID: ROOT\TM_CFWMP�01 Manufacturer: Trend Micro Name: WAN Miniport (IP) - Trend Micro Common Firewall Miniport PNP Device ID: ROOT\TM_CFWMP�01 Service: tmcfw -- Scheduled Tasks ------------------------------------------------------------- 2007-08-30 07:05:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job -- Files created between 2007-07-30 and 2007-08-30 ----------------------------- 2007-08-29 22:36:42 0 d-------- C:\Documents and Settings\Sandi\Application Data\Uniblue 2007-08-29 22:28:18 0 d-------- C:\Program Files\Uniblue 2007-08-29 20:56:22 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-08-29 10:35:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-08-29 10:34:34 0 d-------- C:\Program Files\SUPERAntiSpyware 2007-08-29 10:34:34 0 d-------- C:\Documents and Settings\Sandi\Application Data\SUPERAntiSpyware.com 2007-08-29 10:30:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-29 00:45:06 0 d-------- C:\Documents and Settings\Sandi\Application Data\Grisoft 2007-08-28 19:17:07 0 dr-h----- C:\$VAULT$.AVG 2007-08-28 18:57:39 0 d-------- C:\Documents and Settings\Sandi\Application Data\AVG7 2007-08-28 18:56:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-08-28 18:56:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-08-28 18:56:26 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-08-28 17:50:05 0 d-------- C:\Webshots Data 2007-08-28 17:35:43 0 d-------- C:\!KillBox 2007-08-28 10:30:20 0 d-------- C:\Documents and Settings\Sandi\.housecall6.6 2007-08-28 00:20:12 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2007-08-26 21:09:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games 2007-08-23 21:22:36 0 d-------- C:\Program Files\Travelogue 360 - Rome 2007-08-23 21:22:36 0 d-------- C:\Documents and Settings\Sandi\Application Data\SpinTop 2007-08-23 21:02:03 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache 2007-08-23 21:02:02 0 d-------- C:\Program Files\bfgclient 2007-08-12 15:46:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SpinTop Games 2007-08-10 13:57:42 0 d-------- C:\Documents and Settings\Sandi\Application Data\LinkedIn 2007-08-01 23:39:18 0 d-------- C:\Documents and Settings\Sandi\Application Data\Big Fish Games -- Find3M Report --------------------------------------------------------------- 2007-08-30 15:21:43 0 d-------- C:\Documents and Settings\Sandi\Application Data\MailWasherPro 2007-08-29 10:30:54 0 d-------- C:\Program Files\Common Files 2007-08-28 18:40:50 25214 --a------ C:\Program Files\A.ico 2007-08-28 18:40:49 25214 --a------ C:\Program Files\B.ico 2007-08-28 10:52:54 0 d-------- C:\Program Files\Oberon Media 2007-08-28 10:23:46 0 d-------- C:\Program Files\Trend Micro 2007-08-20 02:12:14 0 d-------- C:\Program Files\Lavasoft 2007-08-20 02:12:11 0 d-------- C:\Documents and Settings\Sandi\Application Data\Lavasoft 2007-08-11 11:48:48 0 d-------- C:\Program Files\iWin.com 2007-07-10 15:24:37 29134 --a------ C:\WINDOWS\hpoins03.dat 2007-07-09 22:06:15 0 d-------- C:\Documents and Settings\Sandi\Application Data\Pogo Games 2007-07-06 14:51:11 0 d-------- C:\Program Files\eFax Messenger 4.3 2007-07-06 14:51:08 0 d-------- C:\Documents and Settings\Sandi\Application Data\eFax Messenger 2007-07-06 14:51:03 0 --a------ C:\WINDOWS\system32\eFax_4_3_Port 2007-06-17 23:36:34 26 --a------ C:\WINDOWS\popcinfo.dat 2007-06-11 23:37:54 23104 --a------ C:\WINDOWS\system32\svcprmpt.dll 2007-06-11 23:37:54 30976 --a------ C:\WINDOWS\rascntrl.dll 2007-06-08 14:06:27 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/02/2004 07:19 AM] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [01/22/2007 11:26 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 02:03 PM] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [02/25/2004 11:17 PM] "HP Software Update"="C:\Program Files\hp\HP Software Update\HPWuSchd.exe" [08/04/2003 05:28 PM] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [05/08/2003 05:34 AM] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/28/2007 06:56 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadwin PrintScreen 3.5"="C:\imaging\PrintScreen\PrintScreen.exe" [07/08/2006 01:57 AM] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM] C:\Documents and Settings\Sandi\Start Menu\Programs\Startup\ Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [11/12/2004 09:16:01 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="explorer.exe " [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "mysql"=2 (0x2) "FileZilla Server"=2 (0x2) "Apache2"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "secure"=C:\WINDOWS\system32\Tunjsn.exe "ijrbbpd"=C:\WINDOWS\ptcore.exe "version"=C:\WINDOWS\system32\Wjmyhq.exe "WinampAgent"="C:\Music\Winamp\Winampa.exe" "SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "srmclean"=C:\Cpqs\Scom\srmclean.exe "Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe "SetRefresh"=C:\Program Files\Compaq\SetRefresh\SetRefresh.exe "MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto "Limeshop0"="C:\Program Files\Lime_Shop\Limeshop0.exe" "IgfxTray"=C:\WINDOWS\System32\igfxtray.exe "HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe "HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe -- End of Deckard's System Scanner: finished at 2007-08-30 15:25:02 ------------ ------------------------------------------- Deckard's System Scanner v20070826.66 Extra logfile - please post this as an attachment with your post.-------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® 4 CPU 2.80GHz Percentage of Memory in Use: 54% Physical Memory (total/avail): 1015.48 MiB / 460.07 MiB Pagefile Memory (total/avail): 2446.73 MiB / 1983.52 MiB Virtual Memory (total/avail): 2047.88 MiB / 1971.11 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 74.52 GiB total, 35.43 GiB free. D: is CDROM (No Media) E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before download. Windows Internal Firewall is enabled. FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.) AV: AVG 7.5.484 v7.5.484 (GRISOFT) AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1151 (Trend Micro, Inc.) Outdated [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Personal\\Games\\Jewel Quest\\JewelQuest.exe"="C:\\Personal\\Games\\Jewel Quest\\JewelQuest.exe:*:Enabled:JewelQuest" "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe:*:Disabled:javaw" "C:\\imaging\\Macromedia\\Fireworks MX\\Fireworks.exe"="C:\\imaging\\Macromedia\\Fireworks MX\\Fireworks.exe:*:Enabled:Fireworks MX" "C:\\Utilities\\WS_FTP\\WS_FTP95.exe"="C:\\Utilities\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95" "C:\\Documents and Settings\\Sandi\\Local Settings\\Temp\\Temporary Directory 1 for IPNetAuthorize.zip\\IPNetAuthorize.exe"="C:\\Documents and Settings\\Sandi\\Local Settings\\Temp\\Temporary Directory 1 for IPNetAuthorize.zip\\IPNetAuthorize.exe:*:Enabled:IPNetAuthorize" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Sandi\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=WEBDIVA ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Sandi LOGONSERVER=\\WEBDIVA NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Support Tools\; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0304 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Sandi\LOCALS~1\Temp TMP=C:\DOCUME~1\Sandi\LOCALS~1\Temp USERDOMAIN=WEBDIVA USERNAME=Sandi USERPROFILE=C:\Documents and Settings\Sandi windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Sandi (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 123 Password Recovery --> C:\Utilities\123 Password Recovery\uninstal.exe ACDSee Classic --> C:\imaging\ACDSee32\UNWISE.EXE C:\imaging\ACDSee32\INSTALL.LOG Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe" Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Illustrator 8.0 --> C:\WINDOWS\UNINST.EXE -f"c:\imaging\Adobe\Illustrator 8.0\DeIsL1.isu" -c"c:\imaging\Adobe\Illustrator 8.0\Uninst.dll" Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\imaging\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\imaging\Adobe\Photoshop 7.0\Uninst.dll" Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000} AI RoboForm --> C:\Program Files\Siber Systems\AI RoboForm\uninstal.exe Any Password 1.31 --> "C:\Program Files\Any Password\unins000.exe" Asterisk Key --> C:\Program Files\Passware\ariuinst.exe Avalanche (remove only) --> "C:\Program Files\ImaginEngine\Avalanche\uninstall.exe" AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe Beyond Compare Version 2.3.1 --> "C:\Program Files\Beyond Compare 2\unins000.exe" Big City Adventure San Francisco (remove only) --> "C:\Program Files\iWin.com\Big City Adventure San Francisco\Uninstall.exe" Big Fish Games Client --> C:\Program Files\bfgclient\Uninstall.exe Broadcom Management Programs --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{750DFF5E-C559-11D4-A441-00B0D0436EE7}\Setup.exe" Chuzzle --> "C:\Program Files\Oberon Media\Chuzzle\Uninstall.exe" "C:\Program Files\Oberon Media\Chuzzle\install.log" Club Pogo Badge Screen Saver #1 --> C:\WINDOWS\Club Pogo Badge Screen Saver #1.scr /u CuteFTP 6 Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA} Death on the Nile (remove only) --> "C:\Program Files\iWin.com\Death on the Nile\Uninstall.exe" DllSweeper 2.0 (remove only) --> "C:\Utilities\DllSweeper\uninstall.exe" Documents To Go --> MsiExec.exe /X{194B2FE0-2B17-4DF2-A532-213FDFC87FB9} eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe Eye Candy 4000 --> C:\imaging\Adobe\PHOTOS~1.0\Plug-Ins\EYECAN~1\UNWISE.EXE C:\imaging\Adobe\PHOTOS~1.0\Plug-Ins\EYECAN~1\INSTALL.LOG Family Tree Maker 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B136E4A4-7660-4F15-9752-EF8E6BA7866D}\setup.exe" -l0x9 Gadwin PrintScreen --> C:\imaging\PrintScreen\Uninstall.exe Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" Hidden Expedition Titanic (remove only) --> "C:\Program Files\iWin.com\Hidden Expedition Titanic\Uninstall.exe" HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall HP Image Zone 3.5 --> C:\Program Files\hp\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat hp LaserJet-all-in-one --> C:\Program Files\hp\Digital Imaging\{1B4B2D13-BA87-4c7c-8B67-0EE7CE698415}\setup\hpzscr01.exe -datfile hpbscr01.dat HP Precisionscan Pro 3.1 --> MsiExec.exe /I{6B36DEBF-27D0-4B1E-858D-D397091C6C7D} HP PSC & OfficeJet 3.5 --> "C:\Program Files\hp\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat HP PSC & OfficeJet 3.5 --> "C:\Program Files\hp\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup\hpzscr01.exe" -datfile hposcr03.dat HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C} Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572 iWin Games (remove only) --> "C:\Program Files\iWin Games\Uninstall.exe" J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Jewel Quest (remove only) --> "C:\Personal\Games\Jewel Quest\Uninstall.exe" LaserAIO --> MsiExec.exe /I{DD23CAA4-8872-4B95-B263-EA46FD82CF19} Legacy 5.0 --> C:\Personal\Legacy\UNWISE.EXE /U C:\Personal\Legacy\Install.log LimeWire --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06EE3071-6551-422D-8D5F-9D1816070C47} LimeWire 4.8.1 --> "C:\Program Files\LimeWire\uninstall.exe" Little Shop of Treasures (remove only) --> "C:\Program Files\iWin.com\Little Shop of Treasures\Uninstall.exe" Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9} Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F} Magic Match --> "C:\Program Files\Oberon Media\Magic Match\Uninstall.exe" "C:\Program Files\Oberon Media\Magic Match\install.log" MailWasher Pro --> "C:\Program Files\FireTrust\MailWasher Pro\unins000.exe" MH Cursed Valley --> "C:\Program Files\Oberon Media\MH Cursed Valley\Uninstall.exe" "C:\Program Files\Oberon Media\MH Cursed Valley\install.log" Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9} Mozilla Firefox (1.5.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.4 (en-US)" Mystery Case Files Huntsville (remove only) --> "C:\Program Files\iWin.com\Mystery Case Files Huntsville\Uninstall.exe" Mystery Case Files Prime Suspect (remove only) --> "C:\Program Files\iWin.com\Mystery Case Files Prime Suspect\Uninstall.exe" Mysteryville (remove only) --> "C:\Program Files\Games\Mysteryville\Uninstall.exe" Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe" NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver Palm Desktop --> MsiExec.exe /X{B1D78321-7AB1-45A7-A084-885AF75B8F3D} Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0 Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Software Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Software Setup\Uninst.isu" -c"C:\Program Files\COMPAQ\Software Setup\CPQUNST.DLL" SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE" Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} The Poppit! Show --> "C:\Program Files\Oberon Media\The Poppit! Show\Uninstall.exe" "C:\Program Files\Oberon Media\The Poppit! Show\install.log" Travelogue 360 - Rome --> C:\Program Files\Travelogue 360 - Rome\uninstall.exe Treasure Island --> "C:\Program Files\Oberon Media\Treasure Island\Uninstall.exe" "C:\Program Files\Oberon Media\Treasure Island\install.log" Trend Micro PC-cillin Internet Security 2007 --> C:\Program Files\Trend Micro\Internet Security 2007\remove.exe Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832} Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe" Visio Standard --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Visio\System\DeIsL1.isu" -cC:\PROGRA~1\Visio\System\ExSetup.DLL WebPosition Gold UPDATE --> C:\WebDev\WEBPOS~1\UNWISE.EXE C:\WebDev\WEBPOS~1\install2.log Webshots Desktop --> "C:\Program Files\Webshots\unins000.exe" Winamp (remove only) --> "C:\Music\Winamp\UninstWA.exe" Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C} Windows Media Connect --> msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B} Windows Media Connect --> MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B} Windows Support Tools --> MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA} WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall Words v2.0 --> C:\Fun\Words\unins000.exe Xenofex 1.0 --> C:\imaging\Adobe\PHOTOS~1.0\Plug-Ins\UNWISE.EXE C:\imaging\Adobe\PHOTOS~1.0\Plug-Ins\INSTALL.LOG Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log" -- Application Event Log ------------------------------------------------------- Event Record #/Type8883 / Warning Event Submitted/Written: 08/29/2007 10:43:31 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type8878 / Warning Event Submitted/Written: 08/29/2007 08:28:13 PM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type8872 / Warning Event Submitted/Written: 08/29/2007 01:24:38 AM Event ID/Source: 1524 / Userenv Event Description: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use. Event Record #/Type8870 / Error Event Submitted/Written: 08/29/2007 00:44:58 AM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Event Record #/Type8869 / Error Event Submitted/Written: 08/29/2007 00:01:56 AM Event ID/Source: 1002 / Application Hang Event Description: Hanging application KillBox.exe, version 2.0.0.881, hang module hungapp, version 0.0.0.0, hang address 0x00000000. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type17339 / Warning Event Submitted/Written: 08/30/2007 03:24:31 PM Event ID/Source: 3004 / WinDefend Event Description: %WEBDIVA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %WEBDIVA27 can't undo changes that you allow. For more information please see the following: %WEBDIVA275 Scan ID: {E0DB038D-5021-44D0-BF37-FE8889F2AF82} User: WEBDIVA\Sandi Name: %WEBDIVA271 ID: %WEBDIVA272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %WEBDIVA276 Alert Type: %WEBDIVA278 Detection Type: 1.1.1593.02 Event Record #/Type17338 / Warning Event Submitted/Written: 08/30/2007 03:24:28 PM Event ID/Source: 3004 / WinDefend Event Description: %WEBDIVA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %WEBDIVA27 can't undo changes that you allow. For more information please see the following: %WEBDIVA275 Scan ID: {C59C562E-7664-4CAF-8EFD-A8DB77FABDBA} User: WEBDIVA\Sandi Name: %WEBDIVA271 ID: %WEBDIVA272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %WEBDIVA276 Alert Type: %WEBDIVA278 Detection Type: 1.1.1593.02 Event Record #/Type17337 / Warning Event Submitted/Written: 08/30/2007 03:24:28 PM Event ID/Source: 3004 / WinDefend Event Description: %WEBDIVA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %WEBDIVA27 can't undo changes that you allow. For more information please see the following: %WEBDIVA275 Scan ID: {76711A1B-816D-4A29-9A1D-6A643A16C0FB} User: WEBDIVA\Sandi Name: %WEBDIVA271 ID: %WEBDIVA272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %WEBDIVA276 Alert Type: %WEBDIVA278 Detection Type: 1.1.1593.02 Event Record #/Type17336 / Warning Event Submitted/Written: 08/30/2007 03:24:28 PM Event ID/Source: 3004 / WinDefend Event Description: %WEBDIVA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %WEBDIVA27 can't undo changes that you allow. For more information please see the following: %WEBDIVA275 Scan ID: {E4317A15-588C-4A81-8574-4012607684AC} User: WEBDIVA\Sandi Name: %WEBDIVA271 ID: %WEBDIVA272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %WEBDIVA276 Alert Type: %WEBDIVA278 Detection Type: 1.1.1593.02 Event Record #/Type17335 / Warning Event Submitted/Written: 08/30/2007 03:24:28 PM Event ID/Source: 3004 / WinDefend Event Description: %WEBDIVA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %WEBDIVA27 can't undo changes that you allow. For more information please see the following: %WEBDIVA275 Scan ID: {4F2FB602-634E-443D-8DE6-E28B3E2909F4} User: WEBDIVA\Sandi Name: %WEBDIVA271 ID: %WEBDIVA272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %WEBDIVA276 Alert Type: %WEBDIVA278 Detection Type: 1.1.1593.02 -- End of Deckard's System Scanner: finished at 2007-08-30 15:25:02 ------------ |
|
|
|
|
Aug 30 2007, 07:30 PM
Post
#4
|
|
|
Trusted Helper Posts: 1,991 OS: Windows XP |
Hi sandihudson,
We have quite a few things to deal with, so lets get to work You should print out, or save these instructions to a notepad file, as you will not be able to access this thread when in Safe Mode. ---------------------------------------------------------------- First things first: You have both AVG Antivirus and PC-chillin AntiVirus installed on your PC. Running two or more anti-virus programs in real time can cause conflicts resulting in less, not more, protection. This can also cause drastic system slow-downs, which is a symptom you describe. Unless you have, or can, configure one to work only "on-demand", you will need to choose your favorite and uninstall the other. If you keep PC-chillin then be sure to update it, as it is currently out of date. ---------------------------------------------------------------- Please submit the following files for analysis. Jotti File Submission:
Please note that if you are submitting more than one file they will have to be entered one at a time. ---------------------------------------------------------------- Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...oke/Coupons.cab Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. ---------------------------------------------------------------- Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present): LimeWire <<Optional - see below LimeWire 4.8.1 <<Optional - see below Optionals: Although LimeWire is not malware itself, the files downloaded with it are often a major source of infection, and it is likely the source of your current ailments. Hence, I strongly advise that it be removed. The choice to do so is yours, but keeping it will greatly increase your likelihood of being infected again in the future. Please note any other programs that you dont recognize in that list in your next response ---------------------------------------------------------------- Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FOLDERS (if present): C:\Program Files\LimeWire <<If removed in previous step Reboot into Normal Mode. ---------------------------------------------------------------- Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Scan Mail Bases
---------------------------------------------------------------- Information to include in your next post:
|
|
|
|
|
Aug 31 2007, 04:04 PM
Post
#5
|
|
|
New Member Posts: 3 OS: xp pro |
Stamper19,
Wow, you were right about plenty to do! Happy to oblige Here's the latest go-round of completed tasks.... Anitvirus Programs Uninstalled PC-Cillin since I don't think it ever worked anyway; it wouldn't let me open the control panel once I upgraded from an older version. AVG is now the only anti-virus going. ---------------------------- Jotti's Malware Scan A note here that may have affected this scan... When I visited this site it kept resetting a timer for 30 seconds as they were very busy. In the meantime I jumped ahead to the next tasks in line. Eventually the Jotti service freed up but then I couldn't find any of the files you listed. Could this be due to my uninstalling LimeWire and LimeShop? I apologize for not taking the tasks in order; I didn't realize it might make a difference. C:\WINDOWS\system32\Tunjsn.exe There was no file by this name, although there are files named Tunjsndk.xml, Tunjsnk1.xml, Tunjsnk2.xml, Tunjsnk.xml, Tunjsnu1.xml, Tunjsnu2.xml, Tunjsnu3.xml, and Tunjsnu.xml. C:\WINDOWS\ptcore.exe There was also no file by this name or anything similar. C:\WINDOWS\system32\Wjmyhq.exe There was also no file by this name or anything similar. C:\Program Files\Lime_Shop\Limeshop0.exe There is no Lime_Shop folder or anything similar. ------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:03:33 PM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\hp\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hudsonbusiness.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.roboform.net/dist/AiRoboForm.exe F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\hp\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\imaging\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: AutorunsDisabled O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: AutorunsDisabled O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm O8 - Extra context menu item: Post To &Nucleus (RV Sisters) - http://rvsisters.com/talk/nucleus/bookmark...de&blogid=1 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O15 - Trusted Zone: *.stumbleupon.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\stg_drm.ocx O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143337220171 O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...oke/Coupons.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Travelogue 360 - Rome\Images\armhelper.ocx O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?326 O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS1\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O17 - HKLM\System\CS2\Services\Tcpip\..\{0F5A33CB-7125-4ECF-8247-13A5D50517A4}: NameServer = 206.13.28.12,206.13.31.12 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing) -- End of file - 9617 bytes --------------------------------------- Rebooted in Safe Mode and uninstalled LimeWire and LimeShop. I'm not sure how long these programs have been on my computer or how they got there; I've never used either and they don't look familiar. Deleted the LimeWire folder as well. Rebooted to Normal mode. --------------------------------- Kaspersky Webscanner Log See attached file. When I attempted to paste the report here, my reply wouldn't post. It was rather long A lot of these infections seem to be in backups for various customers and any of those files can be (and should be anyway) deleted. ------------------------------------ There you go Stamper19! Again, thanks for all your help and patience! This post has been edited by sandihudson: Aug 31 2007, 04:22 PM
Attached File(s)
|
|
|
|
|
Aug 31 2007, 04:41 PM
Post
#6
|
|
|
Trusted Helper Posts: 1,991 OS: Windows XP |
Hi sandihudson,
Good work getting through all that  Im not surprised that most of those upload files werent there, so no worries. Things look pretty good here actually. All of the Kapersky hits are in those backup files. I recommend you clear them out. I did notice that the one HiJack This entry we wanted to fix is still there. Bit odd as Ive never seen an entry of that type fail to go away when fixed, but lets try it again. ---------------------------------------------------------------- Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...oke/Coupons.cab Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. ---------------------------------------------------------------- How are things running at this point? Also, please post a fresh HiJack This log. |
|
|
|
|
Sep 17 2007, 08:27 PM
Post
#7
|
|
|
Trusted Helper Posts: 1,991 OS: Windows XP |
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
Similar Topics
| Topic Title | Replies / Views | Topic Information | |||||
|---|---|---|---|---|---|---|---|
 |
1 / 420 | 18th February 2007 - 10:59 PM xjackiex started - last by OwNt |
|||||
|
4 / 569 | 4th November 2007 - 11:50 AM VBianco started - last by greyknight17 |
|||||
|
2 / 320 | 14th June 2008 - 06:33 PM pdsc started - last by Rorschach112 |
|||||
 |
53 / 9,645 | 18th February 2009 - 12:30 PM lostris started - last by Thunderbird1988 |
|||||
|
Time is now: 9th February 2010 - 10:58 AM |
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising