Geeks to Go Forums: WinAntiVirus 2007 (winavx.exe?) [RESOLVED] - Geeks to Go Forums

Jump to content

i Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or start a new topic of your own. Joining allows you to enjoy all this forum has to offer. Learn more in our Welcome Guide. What are you waiting for? Click here to join for free today!
  • (2 Pages)
  • +
  • 1
  • 2

WinAntiVirus 2007 (winavx.exe?) [RESOLVED] Constant pop-ups, locked control panel

#1 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 07 August 2007 - 04:27 AM

Hi everyone,

I registered to post this problem because I'm at my wit's end. From what I've researched, this malware (winavx.exe, I believe) is relatively new. I came home about 3 hours ago and turned on my computer and there's a yellow triangle with an exclamation point in my tray and if I happen to run the mouse over it, it'll tell me my computer is infected (which I think it indeed is). I tried to right click it to find out more information, but that would just result in many windows opening at the same time with a prompt at each window. Also, a Windows Security Alert prompt pops up randomly and asks me to download spyware remover. I try going to my Control Panel, except when I click Start, go to Settings, Control Panel is not there. I tried to go into the printers and faxes in Windows Explorer so I could find Control Panel, but it wouldn't let me. It says exactly "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." I checked the history on my browser and the only thing that seemed out of place was "spamfighter.com". I tried searching about this file, but there isn't much about it yet. I know someone else has posted on this site about the same thing. I looked through the topic and managed to unlock my Control Panel. At one point, regedit was restricted too. But I was able to find a freeware that reset the restriction. The reason I wanted to go into Control Panel was to check the programs on my computer and to maybe remove anything suspicious. However, that operation is still restricted. I also tried scanning with HijackThis and fixing anything that had printer.exe or winavxx.exe in it. But they keep coming back. And I'm so tired now. So, if anyone can please help me, I would truly appreciate it.

So without further ado, my log:

Logfile of HijackThis v1.99.1
Scan saved at 06:20, on 2007-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 85.255.113.204,85.255.112.232
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB444B58-3B89-468B-BAB3-813AF5D43ADC}: NameServer = 85.255.113.204,85.255.112.232
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O17 - HKLM\System\CS1\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 85.255.113.204,85.255.112.232
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum135.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

Thank you for your time.
0

#2 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 10 August 2007 - 05:41 PM

Hello and welcome GAR_Violet
Sorry for the delay

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.


Next
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0

#3 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 13 August 2007 - 03:09 AM

Hi Don77,

Thank you for replying! I've lost internet connection on my own computer (the said infected one) although I'm not entirely sure whether it has to do with this infection. But I've gotten onto another computer in my home to download the things you've instructed me to download onto a flash drive so I could run it on my own computer and I'm also replying on this other computer. Here are the two logs you requested:

Combofix:
ComboFix 07-08-04.3 - "Mei" 2007-08-13 4:18:54.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\UWA7P
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\stera.job


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_REMON
-------\remon


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 04:11 7,945 --a------ C:\dnsbak.reg
2007-08-08 17:41 <DIR> d-------- C:\DOCUME~1\Mei\DoctorWeb
2007-08-07 05:26 14,848 --a------ C:\WINDOWS\system32\printer.exe
2007-08-07 05:21 86,647,584 --a------ C:\backup.reg
2007-08-07 05:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 04:58 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-07 03:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-06 19:23 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-06 19:16 50,688 --a------ C:\DOCUME~1\Mei\APPLIC~1\spoolsv.dll
2007-08-06 19:16 37,376 --a------ C:\WINDOWS\system32\vtr135.dll
2007-08-06 19:16 14,848 --a------ C:\WINDOWS\system32\winavxx.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 12:01 --------- d-------- C:\Program Files\AIM
2007-08-08 19:31 --------- d-------- C:\Program Files\FinePixViewer
2007-07-28 17:15 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Azureus
2007-07-24 09:35 --------- d-------- C:\Program Files\eMule
2007-07-24 00:22 --------- d-------- C:\Program Files\NJStar Communicator
2007-07-02 04:32 --------- d-------- C:\Program Files\America Online 9.0
2007-06-27 23:05 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Skype
2007-06-20 03:59 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Creative
2007-06-15 09:36 --------- d-------- C:\Program Files\Audible
2007-06-14 14:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-14 14:38 --------- d-------- C:\Program Files\Creative
2007-06-14 14:16 --------- d--h----- C:\Program Files\Creative Installation Information
2007-06-14 14:15 --------- d-------- C:\Program Files\Common Files\Creative
2007-06-05 02:48 45816 --a------ C:\DOCUME~1\Mei\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-07-22 11:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 23:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 23:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-16 15:30 3858 --a------ C:\Program Files\directx redist.txt
2004-07-09 15:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 10:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 10:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 05:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 05:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 04:03 62976 --a------ C:\Program Files\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-13 01:39]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 17:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 17:15]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SpyHunter"="" []
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-08-06 19:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-05 16:30]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-11-24 14:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]
"WinAVX"="C:\WINDOWS\system32\WinAvXX.exe" [2007-08-06 19:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\Mei\Start Menu\Programs\Startup\
system.exe [2007-08-06 19:16:37]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
autorun.exe [2007-08-06 19:16:37]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-06-05 04:00:31]
Post-itR Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [2003-10-10 15:53:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\printer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum135.txt

R0 IFP800;iriver Internet Audio Player IFP-800;C:\WINDOWS\system32\drivers\ifp800.sys
R1 FsVga;FsVga;C:\WINDOWS\system32\DRIVERS\fsvga.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
S2 pxlmdl;PixelModule;"C:\WINDOWS\nvidcgui.exe"
S3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys


Contents of the 'Scheduled Tasks' folder
2007-07-24 15:50:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN39J3C0JZI5.job
2007-08-08 23:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 04:29:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media\Default]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media\Default\MatialHeroes.exe]
"Path"="C:\Program Files\MartialHeroes_2.0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"IQ\ah????"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\\27\xf672k"Yv]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AE8C915A-B53E-2275-28BE-A477CE194E19}]
"iaafmpchmcdldhedgb"=hex:69,61,61,67,63,68,61,61,62,61,66,6a,6b,6a,65,6a,69,66,00,00
"hagfomljmgcjobea"=hex:69,61,61,67,63,68,61,61,62,61,66,6a,6b,6a,65,6a,69,66,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E101A92F-858C-1E28-F337-740F6B221584}]
"dbpaaceknloddkpgoenppgabnpalopicphchingj"=hex:6b,61,66,6d,65,70,69,66,70,68,70,6c,70,6a,70,63,62,69,6d,6f,67,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 4:33:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 04:32

--- E O F ---

and HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 4:37:02 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum135.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

While running I think it was Fixwareout, it instructed me to double-click the dnsbak.reg in my C drive if I was having internet connection problems and to mention it in the forum. I tried a site afterwards, but I had no luck getting onto one. I'm not sure if it's worth mentioning, but my computer is the one directly connected to a modem and the computer I'm using right now is connected to that modem through a router. I'm assuming that since this computer has no problem connecting to the internet, that the problem lies within my computer and not the modem or router. Would it have to do with this infection also? I thought I might also mention that the time on my computer is now on military time and that I've also had trouble getting into my task manager in addition to the control panel and the registry editor as I had mentioned earlier. And also, Firefox is supposed to be my default browser, but every time I run Firefox, it will tell me that it is not. Even though every time that window pops up, I confirm it as my default browser.

Thanks a lot for taking a look at this for me, Don77. I will be awaiting your next set of instructions with anticipation. =)
0

#4 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 13 August 2007 - 09:37 PM

OK we have quite a bit going on here lets take tis in steps

seeing you have another computer to work with lets get this as clean as we can


Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
C:\DOCUME~1\Mei\APPLIC~1\spoolsv.dll
C:\WINDOWS\system32\vtr135.dll
C:\WINDOWS\system32\winavxx.exe
C:\WINDOWS\system32\hrum135.txt
C:\WINDOWS\system32\printer.exe
C:\Documents and Settings\Mei\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAVX"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
0

#5 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 14 August 2007 - 01:25 AM

Hi Don77,

I've followed your instructions and I've noticed that my Control Panel, Registry Editor, and Task Manager were all accessible without the help of any applications. Also, my clock is back to normal. Thanks! However, I'm still unable to get onto the internet even though it says that I'm connected. And the pop ups are still around. Here are the logs you requested:

Combofix:
ComboFix 07-08-04.3 - "Mei" 2007-08-14 2:46:14.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.True
Command switches used :: C:\Documents and Settings\Mei\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-13 04:11 7,945 --a------ C:\dnsbak.reg
2007-08-08 17:41 <DIR> d-------- C:\DOCUME~1\Mei\DoctorWeb
2007-08-07 05:26 14,848 --a------ C:\WINDOWS\system32\printer.exe
2007-08-07 05:21 86,647,584 --a------ C:\backup.reg
2007-08-07 05:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 04:58 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-07 03:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-06 19:23 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-06 19:16 50,688 --a------ C:\DOCUME~1\Mei\APPLIC~1\spoolsv.dll
2007-08-06 19:16 37,376 --a------ C:\WINDOWS\system32\vtr135.dll
2007-08-06 19:16 14,848 --a------ C:\WINDOWS\system32\winavxx.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 12:01 --------- d-------- C:\Program Files\AIM
2007-08-08 19:31 --------- d-------- C:\Program Files\FinePixViewer
2007-07-28 17:15 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Azureus
2007-07-24 09:35 --------- d-------- C:\Program Files\eMule
2007-07-24 00:22 --------- d-------- C:\Program Files\NJStar Communicator
2007-07-02 04:32 --------- d-------- C:\Program Files\America Online 9.0
2007-06-27 23:05 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Skype
2007-06-20 03:59 --------- d-------- C:\DOCUME~1\Mei\APPLIC~1\Creative
2007-06-15 09:36 --------- d-------- C:\Program Files\Audible
2007-06-14 14:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-14 14:38 --------- d-------- C:\Program Files\Creative
2007-06-14 14:16 --------- d--h----- C:\Program Files\Creative Installation Information
2007-06-14 14:15 --------- d-------- C:\Program Files\Common Files\Creative
2007-06-05 02:48 45816 --a------ C:\DOCUME~1\Mei\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2004-07-22 11:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 23:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 23:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-16 15:30 3858 --a------ C:\Program Files\directx redist.txt
2004-07-09 15:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 10:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 10:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 05:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 05:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 04:03 62976 --a------ C:\Program Files\DSETUP.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-13 01:39]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 17:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 17:15]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SpyHunter"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-05 16:30]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-11-24 14:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\Mei\Start Menu\Programs\Startup\
system.exe [2007-08-06 19:16:37]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
autorun.exe [2007-08-06 19:16:37]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-06-05 04:00:31]
Post-itR Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [2003-10-10 15:53:20]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum135.txt

R0 IFP800;iriver Internet Audio Player IFP-800;C:\WINDOWS\system32\drivers\ifp800.sys
R1 FsVga;FsVga;C:\WINDOWS\system32\DRIVERS\fsvga.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
S2 pxlmdl;PixelModule;"C:\WINDOWS\nvidcgui.exe"
S3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys


Contents of the 'Scheduled Tasks' folder
2007-07-24 15:50:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN39J3C0JZI5.job
2007-08-08 23:49:01 C:\WINDOWS\Tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 02:52:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media\Default]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\C:\Documents and Settings\zero80\My Documents\\x6aa3\x8776\x9a57\G_T\Media\Default\MatialHeroes.exe]
"Path"="C:\Program Files\MartialHeroes_2.0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"IQ\ah????"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\\27\xf672k"Yv]
"Order"=hex:08,00,00,00,02,00,00,00,fe,00,00,00,01,00,00,00,02,00,00,00,7c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AE8C915A-B53E-2275-28BE-A477CE194E19}]
"iaafmpchmcdldhedgb"=hex:69,61,61,67,63,68,61,61,62,61,66,6a,6b,6a,65,6a,69,66,00,00
"hagfomljmgcjobea"=hex:69,61,61,67,63,68,61,61,62,61,66,6a,6b,6a,65,6a,69,66,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E101A92F-858C-1E28-F337-740F6B221584}]
"dbpaaceknloddkpgoenppgabnpalopicphchingj"=hex:6b,61,66,6d,65,70,69,66,70,68,70,6c,70,6a,70,63,62,69,6d,6f,67,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 2:55:30
C:\ComboFix-quarantined-files.txt ... 2007-08-14 02:54
C:\ComboFix2.txt ... 2007-08-13 04:33

--- E O F ---

and HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 3:00:47 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\Documents and Settings\Mei\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum135.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

Thanks so much for your help!
0

#6 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 14 August 2007 - 07:12 PM

1. Click here to download The Avenger by Swandog46 and save it to your desktop.
  • Right click on Avenger.zip and choose "Extract All" extract the avenger.exe file.
  • Extract it to your desktop
2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C) or right clicking it and choosing "Copy":

Quote

Files to delete:
C:\DOCUME~1\Mei\APPLIC~1\spoolsv.dll
C:\WINDOWS\system32\vtr135.dll
C:\WINDOWS\system32\winavxx.exe
C:\WINDOWS\system32\hrum135.txt
C:\WINDOWS\system32\printer.exe
C:\Documents and Settings\Mei\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Come back here to this thread. Copy and paste the contents of c:\avenger.txt into your reply along with a fresh HJT log .
0

#7 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 15 August 2007 - 12:43 AM

Hi Don77,

I've followed your last set of instructions, but I'm not sure it went totally smoothly even though the logs say it did. My computer has defaulted back to locking out the Control Panel, Task Manager, and the Registry Editor. After running the code you gave me in Avenger, a prompt came up that said registry editing was disabled. My clock is still normal though. Also, after the reboot, a prompt said that printer.exe was not found. Here are the two logs:

Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fpiqjqiq

*******************

Script file located at: \??\C:\Documents and Settings\svkstajw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\DOCUME~1\Mei\APPLIC~1\spoolsv.dll deleted successfully.
File C:\WINDOWS\system32\vtr135.dll deleted successfully.
File C:\WINDOWS\system32\winavxx.exe deleted successfully.
File C:\WINDOWS\system32\hrum135.txt deleted successfully.
File C:\WINDOWS\system32\printer.exe deleted successfully.
File C:\Documents and Settings\Mei\Start Menu\Programs\Startup\system.exe deleted successfully.
File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 2:22:58 AM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.204 85.255.112.232
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

Thanks for your help so far.
0

#8 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 15 August 2007 - 04:39 AM

Looking better :whistling:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Next

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Close out HJT, Restart your computer

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
0

#9 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 16 August 2007 - 12:54 AM

Hi Don77,

I tried doing as you instructed, but I had trouble. The bold words that I was to type into Start -> Run, didn't work. A prompt told me Windows couldn't find "C:\Documents and Settings\Mei\desktop\dss.exe". So, I was not able to get into the DSS configuration since I couldn't locate it. I tried searching for it, but that didn't work.

I want to add that I was also unable to find one of the registry keys to delete in the hijackthis scan. I managed to delete 4 of them, but only one of the ones that started with 07 (sorry, I can't remember which!) was in the list. Actually, that was the only registry key that started with 07 on the list at all.

So, please, let me know how I should proceed. Thanks!
0

#10 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 16 August 2007 - 04:54 AM

Quote

I tried doing as you instructed, but I had trouble. The bold words that I was to type into Start -> Run, didn't work. A prompt told me Windows couldn't find "C:\Documents and Settings\Mei\desktop\dss.exe". So, I was not able to get into the DSS configuration since I couldn't locate it. I tried searching for it, but that didn't work.


Would be helpful if I had you download it in the first place :whistling:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Quote

I want to add that I was also unable to find one of the registry keys to delete in the hijackthis scan. I managed to delete 4 of them, but only one of the ones that started with 07 (sorry, I can't remember which!) was in the list. Actually, that was the only registry key that started with 07 on the list at all.


Let me have a look at the DSS log and we will go from there


Sorry for the confusion
0

#11 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 17 August 2007 - 12:45 AM

Hi Don 77,

Yeah, I was pretty confused. :whistling: Since I wasn't able to connect to the internet on this computer (I managed to get internet back with a friend's help), I was going back and forth between computers wondering if I mistyped something. But it's alright, I didn't go crazy about it. No harm done.

Anyway, here are the two logs:

Main:
Deckard's System Scanner v20070809.63
Run by Mei on 2007-08-17 at 02:07:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
86: 2007-08-17 06:07:54 UTC - RP573 - Deckard's System Scanner Restore Point
85: 2007-08-13 08:18:35 UTC - RP572 - ComboFix created restore point
84: 2007-08-08 23:49:54 UTC - RP571 - System Checkpoint
83: 2007-08-07 08:57:59 UTC - RP570 - Installed Microsoft Visual C++ 2005 Redistributable
82: 2007-08-07 03:01:45 UTC - RP569 - Removed SPYWAREfighter.


-- First Restore Point --
1: 2007-05-12 08:18:34 UTC - RP488 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 18.94 GiB (less than 15%) free.


-- HijackThis (run as Mei.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 02:09, on 2007-08-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mei\desktop\dss.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\HIJACK~1\Mei.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070808-200155-190 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070808-200155-201 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070808-200155-346 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20070808-200155-376 O4 - Startup: system.exe
backup-20070808-200155-980 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070816-020941-104 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20070816-020941-279 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070816-020941-884 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070816-020941-916 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IFP800 (iriver Internet Audio Player IFP-800) - c:\windows\system32\drivers\ifp800.sys <Not Verified; iRiver, Inc.; IFP-100>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S1 avgio - c:\program files\antivir personaledition classic\avgio.sys (file missing)
S3 avgntflt - c:\program files\antivir personaledition classic\avgntflt.sys (file missing)
S3 catchme - c:\docume~1\mei\locals~1\temp\catchme.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8>

S2 pxlmdl (PixelModule) - "c:\windows\nvidcgui.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 736)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 976)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 1056)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 1140)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 1184)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 1236)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 1936)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\explorer.exe (pid 1828)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >

C:\WINDOWS\system32\svchost.exe (pid 3136)
2005-09-30 13:48:28 82432 --a------ C:\Program Files\Spyware Doctor\tools\klg.DAT <Not Verified; PC Tools; >
2005-11-09 15:24:32 82944 --a------ C:\Program Files\Spyware Doctor\tools\swpg.DAT <Not Verified; PC Tools; >


-- Scheduled Tasks -------------------------------------------------------------

2007-08-08 19:49:01 338 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-07-24 11:50:06 316 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN39J3C0JZI5.job


-- Files created between 2007-07-17 and 2007-08-17 -----------------------------

2007-08-17 02:05:45 0 d-------- C:\WINDOWS\LastGood
2007-08-13 04:11:02 7945 --a------ C:\dnsbak.reg
2007-08-08 17:41:24 0 d-------- C:\Documents and Settings\Mei\DoctorWeb
2007-08-07 04:58:15 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-07 03:44:52 0 d-------- C:\Program Files\Enigma Software Group
2007-08-06 19:23:13 8704 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; MicrosoftR WindowsR Operating System>


-- Find3M Report ---------------------------------------------------------------

2007-08-09 12:01:08 0 d-------- C:\Program Files\AIM
2007-08-08 19:31:12 0 d-------- C:\Program Files\FinePixViewer
2007-08-06 23:02:09 0 d-------- C:\Program Files\Common Files
2007-07-28 17:15:19 0 d-------- C:\Documents and Settings\Mei\Application Data\Azureus
2007-07-24 09:35:55 0 d-------- C:\Program Files\eMule
2007-07-24 00:22:42 0 d-------- C:\Program Files\NJStar Communicator
2007-07-02 04:32:31 0 d-------- C:\Program Files\America Online 9.0
2007-06-27 23:05:17 0 d-------- C:\Documents and Settings\Mei\Application Data\Skype
2007-06-20 13:30:13 0 d-------- C:\Program Files\Java
2007-06-20 03:59:40 0 d-------- C:\Documents and Settings\Mei\Application Data\Creative
2007-06-05 02:48:43 45816 --a------ C:\Documents and Settings\Mei\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-13 01:39]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 17:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 17:15]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"SpyHunter"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-05 16:30]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-11-24 14:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-06-05 04:00:31]
Post-itR Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [2003-10-10 15:53:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2007-08-17 at 02:10:15 ---------

Extra:
Deckard's System Scanner v20070809.63
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 509.98 MiB / 150.18 MiB
Pagefile Memory (total/avail): 1248.13 MiB / 934.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.96 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 145.34 GiB total, 18.94 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)
G: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mei\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MEI
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mei
LOGONSERVER=\\MEI
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mei\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mei\LOCALS~1\Temp
USERDOMAIN=MEI
USERNAME=Mei
USERPROFILE=C:\Documents and Settings\Mei
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mei (admin)
Mommy (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MTP_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Clubbox 橾瞪歎婦葬濠 --> C:\WINDOWS\system32\ClubboxUninstall.exe
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Creative MediaSource 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Disc2Phone --> MsiExec.exe /I{6E65247F-58F9-41CA-BE69-0316F7907170}
Easy MP3 Cutter 2.5 --> "C:\Program Files\Easy MP3 Cutter\unins000.exe"
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
FinePix Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}\SETUP.EXE" -l0x9
FinePixViewer Resource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B44529FF-501E-47CD-A06D-223C161BE058}\SETUP.EXE" -l0x9
FinePixViewer Ver.5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE" -l0x9
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Software Update --> MsiExec.exe /X{D43BB532-3537-4CE9-9CBB-92533BD29F0C}
ImageMixer VCD2 LE for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B093990A-AAF2-44AC-9216-14BB7A2189B6}\SETUP.EXE" -l0x9
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack (Full) 2.59 Beta2 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky On-line Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
McGraw-Hill's GED --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F63A3F0E-BE83-43E4-A9A2-153E877A857C}
MediaMonkey 2.5 --> "C:\Program Files\MediaMonkey\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mobile Media Converter --> "C:\Program Files\MIKSOFT\Mobile Media Converter\unins000.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.3) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MXpie Patch for WinMX Network/WPNP --> C:\Program Files\MXpie Patch\MXpie_Uninstaller.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NJStar Communicator --> "C:\Program Files\NJStar Communicator\Remove.exe" /U:"C:\Program Files\NJStar Communicator\Remove.log"
PC Health Plan 1.6.1.10 --> "C:\Program Files\PC Health Plan\unins000.exe"
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Post-it?Software Notes --> "C:\Program Files\3M\PSNotes\Uninstall.exe" -Prog"C:\Program Files\3M\PSNotes\psn.exe" -INI"C:\Program Files\3M\PSNotes\uninst.ini"
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype? 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sony Ericsson PC Suite 1.20.237 --> MsiExec.exe /I{D21635EA-7A89-4881-86A9-0C1DCBCD1317}
Sony Sound Forge 8.0d --> MsiExec.exe /X{5636E517-8100-4E2A-B69E-2B16AFFA2360}
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log"
Spyware Doctor 3.2 --> "C:\Program Files\Spyware Doctor\unins000.exe"
TablePCRT --> MsiExec.exe /X{C46A5F24-B91F-477C-B634-DB99A7D7792A}
Update Service --> C:\Program Files\Sony Ericsson\Update Service\uninst.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- End of Deckard's System Scanner: finished at 2007-08-17 at 02:10:15 ---------

I don't know if it's necessary, but just an update on my computer's condition. There are currently no more popups. That yellow triangle in my tray is gone and no more random prompts telling me to buy software. I can get into the registry editor and task manager without problem. But my control panel is still locked and my clock has gone back to military time. I'm also able to get online now as I had mentioned earlier. I suspect that some of my internet protocol settings were changed without me realizing. So, almost there?

Thanks for all your time and patience!
0

#12 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 17 August 2007 - 04:23 AM

things are looking much better :whistling:

Quote

I don't know if it's necessary, but just an update on my computer's condition. There are currently no more popups. That yellow triangle in my tray is gone and no more random prompts telling me to buy software. I can get into the registry editor and task manager without problem. But my control panel is still locked and my clock has gone back to military time. I'm also able to get online now as I had mentioned earlier. I suspect that some of my internet protocol settings were changed without me realizing. So, almost there?


yes thats helpful thanks for the update and yes almost there


First
Go to Start > Run
Type:
    regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
      Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup

  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Next
Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
and Save it on the desktop


Quote

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Then double-click on the fix.reg file, and when it prompts to merge say yes,


Next
Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:


J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5 –
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03

The p2p programs are recommended for removal but the choice is yours as to whether you want to keep them or not they are a breading ground for malware

Azureus
eMule


Also do you know what this program is ?
Clubbox 橾瞪歎婦葬濠

If you don’t know what it is it can be removed via add/remove along with the rest

Please restart your computer after you have removed the last program

Next
Lets see about fixing the time

In Control Panel, double-click Regional Options.
In Regional Options, click Customize.
Click the Time tab.
Under Time format make sure it is h:mm:ss tt
If not click apply and then click OK


Next

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report



Post back a fresh DSS log as well please
Let me know how things are running now ?
0

#13 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 17 August 2007 - 11:53 AM

Hi Don77,

Everything seems to be running normally. The logs seem to show that there are still some traces of it left (and apparently some other stuff), but it's running fine at the moment. Here are the logs:

PandaScan:
Incident Status Location

Adware:adware/whenusearch Not disinfected Windows Registry
Adware:Adware/WinAntiVirus2007 Not disinfected C:\avenger\backup.zip[avenger/autorun.exe]
Virus:Trj/Downloader.MDW Disinfected C:\avenger\backup.zip[avenger/hrum135.txt]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\avenger\backup.zip[avenger/printer.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\avenger\backup.zip[avenger/system.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\avenger\backup.zip[avenger/vtr135.dll]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\avenger\backup.zip[avenger/winavxx.exe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.zedo.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.com.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.winantispyware.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.overture.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.247realmedia.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff5add3-6c39d5f1[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff5add3-6c39d5f1[OwnClassLoader.class]
Virus:Trj/ClassLoader.AF Disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff5add3-6c39d5f1[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-2b481943[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-2b481943[OwnClassLoader.class]
Virus:Trj/ClassLoader.AF Disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-2b481943[Installer.class]
Virus:Generic Trojan Disinfected C:\Documents and Settings\Mei\Desktop\apps\Nero 6.6 Reloaded\Keygen-ORiON\cim-Ahead.Nero.Burning.Rom.6.6.0.3.KeyGen\Keygen.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Mei\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Virus:Generic Malware Disinfected C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
Adware:Adware/WhenUSearch Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\Program Files\Hijackthis\backups\backup-20070808-200155-376-system.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\_OTMoveIt\MovedFiles\WINDOWS\system32\printer.exe

DSS:
Deckard's System Scanner v20070809.63
Run by Mei on 2007-08-17 at 13:30:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 18.99 GiB (less than 15%) free.


-- HijackThis (run as Mei.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:31:04 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Updater.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\3M\PSNotes\psn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\3M\PSNotes\PSNGive.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mei\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Mei.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Post-itR Software Notes.lnk = C:\Program Files\3M\PSNotes\psn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7635FD38-FC11-435E-8452-538FDE83A3A8}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe


-- Files created between 2007-07-17 and 2007-08-17 -----------------------------

2007-08-17 12:00:31 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-17 12:00:28 0 d-------- C:\WINDOWS\LastGood
2007-08-17 10:05:54 87692822 --a------ C:\backup.reg
2007-08-13 04:11:02 7945 --a------ C:\dnsbak.reg
2007-08-08 17:41:24 0 d-------- C:\Documents and Settings\Mei\DoctorWeb
2007-08-07 04:58:15 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-07 03:44:52 0 d-------- C:\Program Files\Enigma Software Group
2007-08-06 19:23:13 8704 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; MicrosoftR WindowsR Operating System>


-- Find3M Report ---------------------------------------------------------------

2007-08-17 12:52:15 0 d-------- C:\Program Files\Spyware Doctor
2007-08-17 12:42:41 0 d-------- C:\Program Files\FinePixViewer
2007-08-17 12:41:31 0 d-------- C:\Program Files\DellSupport
2007-08-17 12:41:11 0 d-------- C:\Program Files\DAEMON Tools
2007-08-17 12:40:35 0 d-------- C:\Program Files\Common Files\Teleca Shared
2007-08-17 11:51:25 0 d-------- C:\Program Files\WinMX
2007-08-17 11:49:58 0 d-------- C:\Program Files\Java
2007-08-17 09:56:39 0 d-------- C:\Program Files\eMule
2007-08-09 12:01:08 0 d-------- C:\Program Files\AIM
2007-08-06 23:02:09 0 d-------- C:\Program Files\Common Files
2007-07-28 17:15:19 0 d-------- C:\Documents and Settings\Mei\Application Data\Azureus
2007-07-24 00:22:42 0 d-------- C:\Program Files\NJStar Communicator
2007-07-02 04:32:31 0 d-------- C:\Program Files\America Online 9.0
2007-06-27 23:05:17 0 d-------- C:\Documents and Settings\Mei\Application Data\Skype
2007-06-20 03:59:40 0 d-------- C:\Documents and Settings\Mei\Application Data\Creative
2007-06-05 02:48:43 45816 --a------ C:\Documents and Settings\Mei\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 08:42 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [10/13/2005 01:39 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/25/2003 10:14 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 05:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 02:57 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24 AM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [08/20/2003 05:15 PM]
"iRiver Updater"="\Updater.exe" [07/01/2004 05:20 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [10/26/2005 05:17 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 10:57 AM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"SpyHunter"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [09/05/2003 04:30 PM]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [11/24/2005 02:14 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [06/12/2006 02:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [6/5/2007 4:00:31 AM]
Post-itR Software Notes.lnk - C:\Program Files\3M\PSNotes\psn.exe [10/10/2003 3:53:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)




-- End of Deckard's System Scanner: finished at 2007-08-17 at 13:31:43 ---------

We're probably not all done, but the fact that everything is normal right now means I owe you a big thanks.

THANKS!!!

:whistling:
0

#14 User is offline   don77 

  • Malware Expert
  • Group: Expert
  • Posts: 18,526
  • Joined: 05-July 04
  • Location:Boston Ma.
  • Operating System:XP Pro,ME, 98

Posted 17 August 2007 - 10:36 PM

Looking much better :whistling:

Active scan is finding quarantied items and some cookies which we will clean out


Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
and Save it on the desktop


Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Then double-click on the fix.reg file, and when it prompts to merge say yes,


Next


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Next
Otmoveit cleanup

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot,



Rescan with Active one more time please and post back what it finds
0

#15 User is offline   GAR_Violet 

  • Member
  • PipPip
  • Group: Member
  • Posts: 10
  • Joined: 07-August 07
  • Operating System:Windows XP

Posted 19 August 2007 - 04:54 PM

Hi Don77,

Here's the log from ActiveScan. It's much shorter. :whistling:

Incident Status Location

Adware:adware/whenusearch Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mei\Application Data\Mozilla\Firefox\Profiles\hvvmvggi.default\cookies.txt[.advertising.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff5add3-6c39d5f1[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff5add3-6c39d5f1[OwnClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-2b481943[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Mei\Application Data\Sun\Java\Deployment\cache\6.0\21\5ac853d5-2b481943[OwnClassLoader.class]
Adware:Adware/WhenUSearch Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\Program Files\Hijackthis\backups\backup-20070808-200155-376-system.exe

I'm not sure why there are cookies. I used ATF cleaner like you instructed me to do. But in any case, my computer seems to be running totally normally again. So once again, thanks so much!
0

Share this topic:


  • (2 Pages)
  • +
  • 1
  • 2

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Advertisements do not imply our endorsement of that product or service. Join to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising | Contact | Link to us