infected with virtumonde please help! [CLOSED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

infected with virtumonde please help! [CLOSED]

Options

zippo69 View Member Profile	Nov 16 2007, 05:57 PM Post #1
Member Posts: 10 OS: xp	Hi, i keep running spybot s&d and it catches vitumonde and virtumonde.rtk. it removes them ok but it still comes back and im keep getting pop ups and my laptop is still really slow. please help! i ran hijackthis 1.99.1 and got this: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Impulse\PolicyKey.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\iPod\bin\iPodService.exe c:\program files\mcafee\msc\mcuimgr.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Travis\LOCALS~1\Temp\Rar$EX00.281\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://130.218.108.4/sre/Downloads/ICSScanner.cab O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://patch.gcsu.edu/webinst.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE This post has been edited by zippo69: Nov 16 2007, 10:53 PM

greyknight17 View Member Profile	Nov 17 2007, 04:38 PM Post #2
Malware Expert Posts: 16,486 From: New York OS: Windows 98, XP, Vista, Mac OS X	Please include the entire HijackThis log next time (you missed the header information ). Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below. Download VundoFix at http://www.atribune.org/ccount/click.php?id=4 and save it to your desktop. - Double-click VundoFix.exe to run it. - Click the Scan for Vundo button. - Once it's done scanning, click the Remove Vundo button. - You will receive a prompt asking if you want to remove the files. Click Yes. - Once you click yes, your desktop will go blank as it starts removing Vundo. - When completed, it will prompt that it will reboot your computer. Click OK. - Post the contents of C:\vundofix.txt here. NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting. Post a new HijackThis log here.

greyknight17 View Member Profile	Nov 19 2007, 07:21 PM Post #4
Malware Expert Posts: 16,486 From: New York OS: Windows 98, XP, Vista, Mac OS X	1. Download combofix at http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe 2. Double-click combofix.exe & follow the prompts. 3. When finished, it will produce a log for you. Post that log in your next reply. Note: Do not click on combofix's window while it's running. That may cause it to stall.

zippo69 View Member Profile	Nov 19 2007, 11:09 PM Post #5
Member Posts: 10 OS: xp	It says that this version of combofix has expired please download an updated version.

greyknight17 View Member Profile	Nov 20 2007, 10:34 PM Post #6
Malware Expert Posts: 16,486 From: New York OS: Windows 98, XP, Vista, Mac OS X	Sorry about that. The program was put on stop since yesterday or so....we'll need to use an alternative for now. Download Deckard's System Scanner at http://deckard.geekstogo.com/dss.exe to your Desktop. - Close all applications and windows. - Double-click on DSS.exe to run it, and follow the prompts. - The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. In this case, it may be better to temporary disable your Antivirus. Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

zippo69

Nov 20 2007, 10:51 PM

Post #7

Member

Posts: 10
OS: xp

main:

Deckard's System Scanner v20071014.68
Run by Travis on 2007-11-20 23:37:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x000003F8

-- Last 5 Restore Point(s) --
100: 2007-11-21 04:37:44 UTC - RP500 - Deckard's System Scanner Restore Point
99: 2007-11-20 20:58:05 UTC - RP499 - System Checkpoint
98: 2007-11-19 19:51:07 UTC - RP498 - System Checkpoint
97: 2007-11-18 19:03:01 UTC - RP497 - System Checkpoint
96: 2007-11-17 18:17:59 UTC - RP496 - System Checkpoint

-- First Restore Point --
1: 2007-11-15 16:20:45 UTC - RP401 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Travis.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:52 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Travis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Travis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {467A2176-8EB1-4665-9D6F-4B1CC8B84E26} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E20DCAC-AB41-4D4B-9E49-E7776ED7835D} - C:\WINDOWS\system32\ddcca.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://130.218.108.4/sre/Downloads/ICSScanner.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://patch.gcsu.edu/webinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9869 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .js1
.vbs - VBSFile - shell\open\command - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .vb1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 atitray - c:\program files\radeon omega drivers\v3.8.330\ati tray tools\atitray.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R3 Appdrv - c:\program files\dell\nicconfigsvc\appdrv.sys <Not Verified; Dell Inc; Application Driver>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-15 13:21:09 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-11-01 07:11:09 354 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-05-07 19:33:06 352 --a------ C:\WINDOWS\Tasks\McDefragTask.job

-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-20 23:46:32 0 d-------- C:\Program Files\Trend Micro
2007-11-19 16:18:40 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-11-19 12:31:24 85056 --a------ C:\WINDOWS\system32\ohtpttkv.dll
2007-11-19 11:28:15 85056 -----n--- C:\WINDOWS\system32\jfolawxa.dll
2007-11-19 00:19:19 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-11-18 11:08:13 85056 --a------ C:\WINDOWS\system32\yalpratp.dll
2007-11-16 11:10:37 85056 --a------ C:\WINDOWS\system32\aayttotq.dll
2007-11-16 11:03:26 440671 ---hs---- C:\WINDOWS\system32\wyadd.bak2
2007-11-15 11:21:52 7977 ---hs---- C:\WINDOWS\system32\wyadd.bak1
2007-11-15 11:20:29 321632 --a------ C:\WINDOWS\system32\ddayw.dll
2007-11-15 11:15:13 0 d-------- C:\WINDOWS\system32\rMa02yy
2007-11-08 08:22:36 0 d-------- C:\Program Files\iPod
2007-11-08 08:22:23 0 d-------- C:\Program Files\iTunes
2007-11-01 12:14:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe

-- Find3M Report ---------------------------------------------------------------

2007-11-19 12:06:49 0 d-------- C:\Program Files\Steam
2007-11-15 14:06:59 0 d-------- C:\Documents and Settings\Travis\Application Data\Azureus
2007-11-08 08:20:40 0 d-------- C:\Program Files\QuickTime
2007-11-03 09:39:05 0 d-------- C:\Program Files\Call of Duty Game of the Year Edition
2007-11-01 12:15:33 0 d-------- C:\Documents and Settings\Travis\Application Data\AdobeUM
2007-10-22 06:49:04 0 d-------- C:\Program Files\HP
2007-10-22 06:48:53 0 d-------- C:\Program Files\Hewlett-Packard
2007-10-12 15:18:56 0 d-------- C:\Program Files\Picasa2
2007-10-10 14:46:46 0 d-------- C:\Program Files\McAfee
2007-10-08 19:08:10 0 d-------- C:\Program Files\Enjoyment of Music 10
2007-10-08 18:16:45 0 d-------- C:\Program Files\Azureus
2007-10-05 07:15:17 0 d-------- C:\Program Files\DivX
2007-10-05 06:28:13 0 d-------- C:\Documents and Settings\Travis\Application Data\ATI
2007-09-18 18:46:14 102148 --a------ C:\WINDOWS\hpgins15.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467A2176-8EB1-4665-9D6F-4B1CC8B84E26}]
11/15/2007 11:20 AM 321632 --a------ C:\WINDOWS\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E20DCAC-AB41-4D4B-9E49-E7776ED7835D}]
C:\WINDOWS\system32\ddcca.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 02:01 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 03:08 PM]
"SigmatelSysTrayApp"="stsystra.exe" [11/16/2005 09:35 PM C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/29/2005 06:56 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 03:30 PM]
"AtiPTA"="atiptaxx.exe" [02/21/2006 08:05 PM C:\WINDOWS\system32\atiptaxx.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/04/2005 11:42 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 05:48 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 03:30 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 03:24 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 3:44:06 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 6:56:20 AM]
PolicyKey.lnk - C:\Program Files\Impulse\PolicyKey.exe [10/4/2005 12:53:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccPwdSvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - DUMP_WMIMMC
*Newly Created Service* - PNKBSTRK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A180082E-03A0-51F2-991F-61A6A84A6BE1}]
C:\WINDOWS\system32\win32Gi\svchost.exe s

-- End of Deckard's System Scanner: finished at 2007-11-20 23:47:40 ------------

extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1022.37 MiB / 578.51 MiB
Pagefile Memory (total/avail): 2459.26 MiB / 1991.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1889.91 MiB

C: is Fixed (NTFS) - 68.42 GiB total, 10.98 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080BH - 73.13 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 68.42 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: McAfee VirusScan v (McAfee)
AV: Symantec AntiVirus Corporate Edition v10.0.2.2000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\guitar10\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\guitar10\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\day of defeat\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\guitar10\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"="C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe:*:Enabled:CoDUOMP"
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"="C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\KumaWar\\KumaWar.exe"="C:\\Program Files\\KumaWar\\KumaWar.exe:*:Enabled:KumaWar"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\the ship\\ship.exe"="C:\\Program Files\\Steam\\SteamApps\\guitar10\\the ship\\ship.exe:*:Enabled:ship"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\team fortress classic\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\guitar10\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\guitar10\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\SteamApp