Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Fotomoto [RESOLVED]

Started by GoKarGo , Sep 05 2007 11:58 AM

  • This topic is locked This topic is locked

#1
GoKarGo
Posted 05 September 2007 - 11:58 AM

GoKarGo

    Member

  • Member
  • PipPip
  • 26 posts
Hi, Recently my computer was infected with the WinAntiVirus popups. I followed the instructions for removal in these forums and was successful. However, Windows Defender keeps detecting (and removing?) a browser modifier called Win32/Fotomoto. I can't get rid of it. Everytime I restart the computer it re-installs itself? My homepage keeps getting changed and I was hoping someone could help me permananty get rid of it... Thank you!

Oh here is my HijackThis log file....

Logfile of HijackThis v1.99.1
Scan saved at 11:44:56 AM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udnpmylf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\udnpmylf.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Thanks again.

Edited by GoKarGo, 05 September 2007 - 01:01 PM.

  • 0

Advertisements

#2
Stamper19
Posted 11 September 2007 - 11:56 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

Welcome to Geeks to Go!

Sorry for the delay, but as you can see we are pretty busy around here. My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point. :whistling:

----------------------------------------------------------------

We need to delete a service.

Please copy (Ctrl C) and paste (Ctrl V) the text below to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop DomainService
sc delete DomainService
exit

Double click FixServices.bat. A window will open and close. This is normal.

----------------------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\udnpmylf.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

----------------------------------------------------------------

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FILES (if present):

C:\WINDOWS\system32\udnpmylf.exe

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
----------------------------------------------------------------

Information to include in your next post:
  • main.txt and extra.txt from DSS
  • Kapersky Scan Log

Edited by Stamper19, 11 September 2007 - 11:57 AM.

  • 0

#3
GoKarGo
Posted 11 September 2007 - 04:35 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thank you for your response. The problem has gotten worse since my post. WinAntiVirus showed up again, I followed the instructions again, and the computer keeps finding more trojans and virtumonde . The computer is pretty erratic at this point, I am writing from another computer. What should I do?

I am posting a new HijackThis Log file in case anything changed.

Logfile of HijackThis v1.99.1
Scan saved at 3:44:02 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\lkdsrngk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [{63-39-93-37-ZN}] C:\windows\system32\lkdsrngk.exe CHD003
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\lkdsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinlmdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Edited by GoKarGo, 11 September 2007 - 04:48 PM.

  • 0

#4
Stamper19
Posted 11 September 2007 - 05:17 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

Im going to need a bit more information if you could provide it. Why exactly are you posting from another computer? Is it just *difficult* to post from the other? Have you lost internet connectivity? Details are always helpful. Also, you did not complete at least two steps in my instuctions: the kapersky scan and the DSS log. Were you not able to? If you havent completed the Kapersky scan then hold off for now. The DSS log I do want though if we can get, so I will include again in this set of instructions. :whistling:

In the mean time, yes, I do see some more bad guys in your new log. Lets start getting rid of them :blink:

----------------------------------------------------------------

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Information to include in your next post:
  • ComboFix log
  • main.txt and extra.txt from DSS

  • 0

#5
GoKarGo
Posted 11 September 2007 - 05:53 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The reason I was at another computer was that it was taking 20 minutes to boot the computer. Once it finished loading everything, I was able to use. Here are the log files:

ComboFix 07-09-10.6 - "Donna Perrott" 2007-09-11 16:25:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.61 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\lioyrybl.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\SYSTEM32\wvvwa.bak1
C:\WINDOWS\SYSTEM32\wvvwa.ini
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 16:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 15:58 <DIR> d-------- C:\Deckard
2007-09-11 13:18 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-11 11:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-10 10:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-31 10:01 <DIR> d-------- C:\VundoFix Backups
2007-08-30 13:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-30 13:29 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Lavasoft
2007-08-30 10:29 <DIR> d-------- C:\WINDOWS\pss
2007-08-24 16:04 6,473 --ahs---- C:\WINDOWS\SYSTEM32\prutv.bak1
2007-08-24 14:54 6,473 --ahs---- C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-08-24 13:38 6,473 --ahs---- C:\WINDOWS\SYSTEM32\ijkmp.bak1
2007-08-24 13:15 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-24 09:17 <DIR> d-------- C:\viruses
2007-08-24 01:46 1,612,249 --ahs---- C:\WINDOWS\SYSTEM32\vybeg.bak2
2007-08-23 14:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-08-23 10:40 94,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-08-23 10:39 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\HouseCall 6.6
2007-08-23 10:14 52,749 --a------ C:\WINDOWS\SYSTEM32\lkdsrngk.exe
2007-08-23 09:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-08-23 09:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-22 13:45 1,589,403 --ahs---- C:\WINDOWS\SYSTEM32\vybeg.bak1
2007-08-22 13:34 <DIR> d--hs---- C:\WINDOWS\RG9ubmEgSiBIYXluZXM
2007-08-22 13:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\temps1
2007-08-22 13:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\IBD4
2007-08-22 13:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\cofig32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 10:38 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\OpenOffice.org2
2007-08-28 13:17 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Corel
2007-08-24 13:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-23 14:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 14:46 --------- d-------- C:\Program Files\Dell
2007-08-23 09:21 --------- d-------- C:\Program Files\Yahoo!
2007-07-16 11:53 20747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-07-16 11:53 --------- d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-09 14:18 173941 --a------ C:\Program Files\CA14C7DX.pdf
2007-05-07 11:36 105738 --a------ C:\Program Files\PrintViewDoc.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D10A71DE-B2C5-49FD-921F-4B2548C2ABAA}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4843D15-1A10-491C-8D9B-6BAB4CB5D090}]
C:\Program Files\Windows NT\wohuraki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 22:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 22:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 12:47]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 20:35]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 14:21]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-14 10:17]
"\\DONNA\EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 14:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"{63-39-93-37-ZN}"="C:\windows\system32\lkdsrngk.exe" [2007-08-23 10:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\awvvw

R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS

.
Contents of the 'Scheduled Tasks' folder
"2004-07-13 22:09:44 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-09-11 23:38:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-12-23 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-09-11 23:41:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 16:40:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dwdsrngt.exe

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\DONNA\\EPSON Stylus Photo RX620 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9HA.EXE /P39 \"\\\\DONNA\\EPSON Stylus Photo RX620 Series\" /O6 \"USB002\" /M \"Stylus Photo RX620\""
.
Completion time: 2007-09-11 16:46:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 16:45
.
--- E O F ---

Deckard's System Scanner v20070905.67
Run by Donna Perrott on 2007-09-11 15:58:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2007-09-11 22:59:04 UTC - RP364 - Deckard's System Scanner Restore Point
87: 2007-09-11 22:16:41 UTC - RP363 - Windows Defender Checkpoint
86: 2007-09-11 19:03:06 UTC - RP362 - Windows Defender Checkpoint
85: 2007-09-11 17:33:58 UTC - RP361 - Last known good configuration
84: 2007-09-11 17:33:02 UTC - RP360 - Windows Defender Checkpoint


-- First Restore Point --
1: 2007-09-11 17:31:16 UTC - RP277 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Donna Perrott.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-11 15:59:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\BRSVC01A.EXE
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\BRSS01A.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\lkdsrngk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Donna Perrott\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: (no name) - {DFA6AE74-0BB0-4871-BADF-B97FC42BFBBA} - C:\WINDOWS\SYSTEM32\awvvw.dll
O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKEY_LOCAL_MACHINE\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKEY_LOCAL_MACHINE\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKEY_LOCAL_MACHINE\..\Run: [{63-39-93-37-ZN}] C:\windows\system32\lkdsrngk.exe CHD003
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\lkdsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinlmdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - "C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 rtl8180 (Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver) - c:\windows\system32\drivers\rtl8180.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8180 Wireless LAN (Mini-)PCI NIC>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S2 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp


-- Scheduled Tasks -------------------------------------------------------------

2007-09-11 16:01:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-11 15:22:39 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2006-12-22 21:00:00 564 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2004-07-13 15:09:44 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-08-11 and 2007-09-11 -----------------------------

2007-09-11 13:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-09-11 13:18:45 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Grisoft
2007-09-11 11:59:41 0 d-------- C:\Program Files\SpywareBlaster
2007-09-11 10:38:55 6448 ---hs---- C:\WINDOWS\system32\wvvwa.bak1
2007-09-11 10:33:59 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-09-11 10:31:46 0 d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-09-11 10:31:37 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-09-11 10:30:51 244832 --a------ C:\WINDOWS\system32\awvvw.dll
2007-09-11 08:59:38 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-11 08:59:38 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-09-11 08:59:38 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-09-11 08:59:38 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-11 08:59:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-11 08:59:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-11 08:59:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-11 08:59:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-11 08:59:36 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-10 10:19:38 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-31 10:01:45 0 d-------- C:\VundoFix Backups
2007-08-30 13:29:59 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Lavasoft
2007-08-30 13:29:44 0 d-------- C:\Program Files\Lavasoft
2007-08-30 10:29:01 0 d-------- C:\WINDOWS\pss
2007-08-30 09:08:15 75328 --a------ C:\WINDOWS\system32\lioyrybl.exe <Not Verified; ; DDC>
2007-08-28 11:30:49 0 d-------- C:\Program Files\Network Monitor
2007-08-24 16:04:14 6473 ---hs---- C:\WINDOWS\system32\prutv.bak1
2007-08-24 14:54:52 6473 ---hs---- C:\WINDOWS\system32\ppqss.bak1
2007-08-24 13:38:24 6473 ---hs---- C:\WINDOWS\system32\ijkmp.bak1
2007-08-24 13:15:26 0 d-------- C:\Program Files\Windows Defender
2007-08-24 11:55:46 0 dr-h----- C:\Documents and Settings\Donna Perrott\Recent
2007-08-24 09:17:02 0 d-------- C:\viruses
2007-08-24 01:46:43 1612249 ---hs---- C:\WINDOWS\system32\vybeg.bak2
2007-08-23 14:57:12 0 d-------- C:\WINDOWS\system32\NtmsData
2007-08-23 10:39:13 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6
2007-08-23 10:14:00 52749 --a------ C:\WINDOWS\system32\lkdsrngk.exe <Not Verified; ; Browser Driver>
2007-08-23 09:49:35 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-23 09:44:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-23 09:44:02 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-08-23 09:31:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-08-23 09:30:55 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-08-23 09:25:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-08-22 13:45:58 1589403 --ahs---- C:\WINDOWS\system32\vybeg.bak1
2007-08-22 13:34:47 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-08-22 13:34:39 0 d--hs---- C:\WINDOWS\RG9ubmEgSiBIYXluZXM
2007-08-22 13:34:03 0 d-------- C:\WINDOWS\system32\cofig32
2007-08-22 13:34:02 0 d-------- C:\WINDOWS\system32\temps1
2007-08-22 13:34:02 0 d-------- C:\WINDOWS\system32\IBD4
2007-08-22 13:33:57 52742 --a------ C:\WINDOWS\system32\dwdsrngt.exe <Not Verified; ; Browser Driver>
2007-08-22 13:33:40 0 d-------- C:\WINDOWS\system32\f02WtR


-- Find3M Report ---------------------------------------------------------------

2007-09-11 15:21:54 0 d-------- C:\Program Files\Common Files
2007-09-11 10:38:33 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\OpenOffice.org2
2007-08-28 13:17:15 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Corel
2007-08-24 09:19:13 0 d-------- C:\Program Files\Windows NT
2007-08-23 14:47:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 14:46:25 0 d-------- C:\Program Files\Dell
2007-08-23 09:21:21 0 d-------- C:\Program Files\Yahoo!
2007-07-16 11:53:52 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D10A71DE-B2C5-49FD-921F-4B2548C2ABAA}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFA6AE74-0BB0-4871-BADF-B97FC42BFBBA}]
09/11/2007 10:30 AM 244832 --a------ C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4843D15-1A10-491C-8D9B-6BAB4CB5D090}]
C:\Program Files\Windows NT\wohuraki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 10:19 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/06/2003 10:07 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/09/2006 12:47 PM]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [12/11/2003 08:35 PM]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [10/07/2003 02:21 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [12/14/2006 10:17 AM]
"\\DONNA\EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [05/19/2004 02:00 PM]
"@"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"{63-39-93-37-ZN}"="C:\windows\system32\lkdsrngk.exe" [08/23/2007 10:14 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Donna Perrott\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]
TA_Start.lnk - C:\WINDOWS\SYSTEM32\lkdsrngk.exe [8/23/2007 10:14:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\awvvw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2007-09-11 16:03:47 ------------


Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 254 MiB / 53.13 MiB
Pagefile Memory (total/avail): 622.04 MiB / 262.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1974.67 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 21.49 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75FJA1 - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v2004 (Symantec Corporation) Disabled
AV: AVG 7.5.484 v7.5.484 (GRISOFT)
AV: Norton AntiVirus v2004 (Symantec Corporation) Outdated

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\system32\\ksppkpor.exe"="C:\\WINDOWS\\system32\\ksp"
"C:\\WINDOWS\\system32\\udnpmylf.exe"="C:\\WINDOWS\\system32\\udn"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Donna Perrott\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRONT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Donna Perrott
LOGONSERVER=\\FRONT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DONNAP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DONNAP~1\LOCALS~1\Temp
USERDOMAIN=FRONT
USERNAME=Donna Perrott
USERPROFILE=C:\Documents and Settings\Donna Perrott
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Donna Perrott (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Brother HL-5170DN --> "C:\Program Files\Brother\BRHL5170\IsUninst.exe" -f"C:\Program Files\Brother\BRHL5170\DeIsL1.isu" -cbruninst.dll
CC_ccProxyMSI --> MsiExec.exe /I{A398F2DC-D706-4bb2-AC38-5532CD229D08}
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Enhanced Ads by Think-Adz removal --> C:\WINDOWS\system32\pwinlmdt.exe -UPop
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\uninstaller.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Lexmark Software Uninstall --> C:\Program Files\Lexmark_HostCD\Install\Uninstall.exe
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{91AA4B1F-B918-4e0b-A304-F8D4EC5D7726}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}
Norton Internet Security --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\Common\unynss.exe
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
OpenOffice.org 2.0 --> MsiExec.exe /I{75852F49-2CAF-443F-B7C2-53DE5847DE56}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC Rater --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9AEEA40-F590-4EB5-B0CE-566E40931621}\setup.exe" -l0x9 removeall
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Stamps.com --> "C:\Documents and Settings\All Users\Application Data\{093493DE-0BEE-430B-B715-9C7066583472}\stamps.exe" REMOVE=TRUE MODIFY=FALSE
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
The Print Shop 12 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DD1FE66-5536-41E3-B786-70068887B3F4}\setup.exe" -l0x9 anything
Think-Adz Search Assistant removal --> C:\WINDOWS\system32\pwinlmdt.exe -USearch
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinFSC Commerce West California --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B941B400-7AC7-4B1E-9FED-49CF12C87EA1}\SETUP.exe" -l0x9 -uninst -removeonly
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3379 / Warning
Event Submitted/Written: 09/11/2007 03:17:54 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3365 / Warning
Event Submitted/Written: 09/11/2007 03:03:07 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3364 / Warning
Event Submitted/Written: 09/11/2007 03:02:36 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}. CoGetObject returned HRESULT 80080005.

Event Record #/Type3362 / Error
Event Submitted/Written: 09/11/2007 03:01:21 PM / 09/11/2007 03:01:22 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry8024402cendsearchsearch1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type3348 / Warning
Event Submitted/Written: 09/11/2007 01:24:11 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15636 / Error
Event Submitted/Written: 09/11/2007 04:01:22 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the WMP54Gv4SVC service.

Event Record #/Type15634 / Warning
Event Submitted/Written: 09/11/2007 04:00:49 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {A1939CB5-89AB-4677-AB5F-A6FA1931B85A}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15633 / Warning
Event Submitted/Written: 09/11/2007 04:00:49 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {E60F117C-D8D7-46F5-B94F-44544934991F}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15632 / Warning
Event Submitted/Written: 09/11/2007 04:00:49 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {1CE2C2D3-9059-4EE7-A1D5-F04ECE87122C}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15630 / Error
Event Submitted/Written: 09/11/2007 04:00:49 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.



-- End of Deckard's System Scanner: finished at 2007-09-11 16:03:47 ------------
  • 0

#6
Stamper19
Posted 11 September 2007 - 06:21 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

Alright - we are making some progress now. Lets continue.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::
C:\WINDOWS\SYSTEM32\prutv.bak1
C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\SYSTEM32\ijkmp.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\lkdsrngk.exe
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\lioyrybl.exe 
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\SYSTEM32\pwinlmdt.exe

Folder::
C:\WINDOWS\RG9ubmEgSiBIYXluZXM
C:\WINDOWS\SYSTEM32\temps1
C:\WINDOWS\SYSTEM32\IBD4
C:\WINDOWS\SYSTEM32\cofig32
C:\Documents and Settings\All Users\Application Data\SalesMonitor
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\WINDOWS\system32\f02WtR

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Occasionally malware will hide itself from HiJack This. To make sure thats not happening, lets rename HiJack This and get a fresh log.

Rename HijackThis.exe to H.exe.
  • Right click on HijackThis.exe and choose "Rename"
  • Type H.exe.
----------------------------------------------------------------

Information to include in your next post:
  • ComboFix log
  • Fresh HiJack This Log using the renamed executable.

  • 0

#7
GoKarGo
Posted 11 September 2007 - 06:38 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here you go! This is getting easier :whistling:


Logfile of HijackThis v1.99.1
Scan saved at 5:35:33 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [{63-39-93-37-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)


ComboFix 07-09-10.6 - "Donna Perrott" 2007-09-11 17:25:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.65 [GMT -7:00]
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\prutv.bak1
C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\SYSTEM32\ijkmp.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\lkdsrngk.exe
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\lioyrybl.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\SYSTEM32\pwinlmdt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\ta_start.lnk
C:\WINDOWS\RG9ubmEgSiBIYXluZXM
C:\WINDOWS\SYSTEM32\cofig32
C:\WINDOWS\SYSTEM32\cofig32\r1w2821.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\SYSTEM32\IBD4
C:\WINDOWS\SYSTEM32\ijkmp.bak1
C:\WINDOWS\SYSTEM32\lkdsrngk.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\SYSTEM32\prutv.bak1
C:\WINDOWS\SYSTEM32\temps1
C:\WINDOWS\SYSTEM32\vybeg.bak1
C:\WINDOWS\SYSTEM32\vybeg.bak2


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-11 16:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 15:58 <DIR> d-------- C:\Deckard
2007-09-11 13:18 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-11 11:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-10 10:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-31 10:01 <DIR> d-------- C:\VundoFix Backups
2007-08-30 13:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-30 13:29 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Lavasoft
2007-08-30 10:29 <DIR> d-------- C:\WINDOWS\pss
2007-08-24 13:15 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-24 09:17 <DIR> d-------- C:\viruses
2007-08-23 14:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-08-23 10:40 94,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-08-23 10:39 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\HouseCall 6.6
2007-08-23 09:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-08-23 09:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 10:38 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\OpenOffice.org2
2007-08-28 13:17 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Corel
2007-08-24 13:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-23 14:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 14:46 --------- d-------- C:\Program Files\Dell
2007-08-23 09:21 --------- d-------- C:\Program Files\Yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-16 11:53 20747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-07-16 11:53 --------- d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2007-05-09 14:18 173941 --a------ C:\Program Files\CA14C7DX.pdf
2007-05-07 11:36 105738 --a------ C:\Program Files\PrintViewDoc.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D10A71DE-B2C5-49FD-921F-4B2548C2ABAA}]
C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4843D15-1A10-491C-8D9B-6BAB4CB5D090}]
C:\Program Files\Windows NT\wohuraki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 22:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 22:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 12:47]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 20:35]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 14:21]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-14 10:17]
"\\DONNA\EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 14:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"{63-39-93-37-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\awvvw

R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS

.
Contents of the 'Scheduled Tasks' folder
"2004-07-13 22:09:44 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-09-11 23:38:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-12-23 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-09-12 00:31:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 17:30:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\DONNA\\EPSON Stylus Photo RX620 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9HA.EXE /P39 \"\\\\DONNA\\EPSON Stylus Photo RX620 Series\" /O6 \"USB002\" /M \"Stylus Photo RX620\""
.
Completion time: 2007-09-11 17:31:58
C:\ComboFix-quarantined-files.txt ... 2007-09-11 17:31
C:\ComboFix2.txt ... 2007-09-11 16:46
.
--- E O F ---
  • 0

#8
Stamper19
Posted 11 September 2007 - 07:01 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

You are doing a great job :whistling:

Are you noticing any improvements in the computer yet?

We are definately getting there. Still some work to do but I'm seeing light at the end of the tunnel.

----------------------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below..

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
O4 - HKLM\..\Run: [{63-39-93-37-ZN}] c:\windows\system32\dwdsrngt.exe CHD003

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

----------------------------------------------------------------

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Think-Adz Search Assistant removal
Viewpoint Media Player

----------------------------------------------------------------

Click here to download AVG Anti Rootkit and save it to your desktop.
  • Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
  • Click "I Agree" to agree to the EULA.
  • By default it will install to "C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
  • Click "Next" to begin the installation then click "Install".
  • It will then ask you to reboot now to finish the installation.
  • Click "Finish" and your computer will reboot.
  • After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
  • Click on the "Perform in-depth search" button to begin the scan.
  • The scan will take a while so be patient and let it complete.
  • When the scan is finished, click the "Save result to file" button.
  • Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
----------------------------------------------------------------

Information to include in your next post:
  • AVG Anti-RootKit Report
  • Kapersky Scan log
  • Fresh HiJack This Log
  • Let me know how the computer is running.

  • 0

#9
GoKarGo
Posted 11 September 2007 - 09:29 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here I am again!!
Well first, the computer is still taking an awfully long time to load everything. Not much improvement in speed. Also, I disabled anti-virus and spyware everything to run the Kapersky scan. Kapersky scan found alot of stuff, did I get more just from connecting to the internet to run the scan? I dont know...

Anyway here are the results:

AVG Anti root kit scan results: nothing was found

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 11, 2007 8:23:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412445
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 74517
Number of viruses found: 13
Number of infected objects: 37
Number of suspicious objects: 0
Duration of the scan process: 01:12:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-08242007-131604.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\Backup\b122.exe.bac_a04076 Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\Backup\opnkllm.dll.bac_a04076 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\Backup\retadpu1000106.exe.bac_a04076 Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\Backup\sady22011.exe.bac_a04076 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\Backup\yayxuur.dll.bac_a04076 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\Donna Perrott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\Temp\Perflib_Perfdata_4b8.dat Object is locked skipped
C:\Documents and Settings\Donna Perrott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Donna Perrott\ntuser.dat Object is locked skipped
C:\Documents and Settings\Donna Perrott\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\Antispam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A9E734A Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6AA44743 Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FF03339 Infected: not-a-virus:Downloader.Win32.WinFixer.w skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cofig32\r1w2821.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\dwdsrngt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\lioyrybl.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\lkdsrngk.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP332\A0018916.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP332\A0018951.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0020775.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0020776.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0020777.exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0021861.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0021886.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0021930.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022088.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022095.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022095.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022112.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022112.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP361\A0022116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP365\A0022201.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP365\A0022202.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP365\A0022206.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP366\A0022348.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP366\A0022350.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP366\A0022351.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP366\change.log Object is locked skipped
C:\VundoFix Backups\fccyvut.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\rqrssqq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\yayxuur.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{43E6E736-406B-4068-99C7-4B65A9165167}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\T30DebugLogFile.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 8:16:12 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
  • 0

#10
Stamper19
Posted 12 September 2007 - 07:00 AM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

Although it might appear otherwise, the Kapersky scan actually came back clean. Those logs take a bit of practice to interpret - everything that it found on your computer was either a backup or quarantined file, and those cause no trouble.

Are you getting any more pop-ups, or is the machine just slow?

Malware-wise things look good at this point, but lets run one more scan just to be certain.

----------------------------------------------------------------

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
----------------------------------------------------------------

Please re-run Deckards System Scanner (DSS), but using a slightly different procedure.
  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    • "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, please post back both logs that open in notepad: Main txt and extra txt
----------------------------------------------------------------

Information to include in your next post:
  • SuperAntiSpyware Log
  • Main.txt and Extra.txt from DSS
  • Update me on how the computer is running.

  • 0

Advertisements

#11
GoKarGo
Posted 12 September 2007 - 11:35 AM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Edited by GoKarGo, 12 September 2007 - 11:40 AM.

  • 0

#12
GoKarGo
Posted 12 September 2007 - 11:47 AM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/12/2007 at 09:55 AM

Application Version : 3.9.1008

Core Rules Database Version : 3304
Trace Rules Database Version: 1310

Scan type : Complete Scan
Total Scan Time : 00:42:04

Memory items scanned : 505
Memory threats detected : 0
Registry items scanned : 4924
Registry threats detected : 0
File items scanned : 73877
File threats detected : 81

Adware.Tracking Cookie
C:\Documents and Settings\Donna Perrott\cookies\donna_perrott@atwola[2].txt
C:\Documents and Settings\Donna Perrott\cookies\donna_perrott@revsci[2].txt
C:\Documents and Settings\Donna Perrott\cookies\[email protected][2].txt
C:\Documents and Settings\Donna Perrott\cookies\donna_perrott@2o7[2].txt
C:\Documents and Settings\Donna Perrott\cookies\[email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@adecn[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@adknowledge[2].txt
C:\Front Office\New Folder\Cookies\front desk@adprofile[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@adultedreg[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@atwola[2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@azjmp[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front desk@bannerspace[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@belnk[1].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@conversiontracker[2].txt
C:\Front Office\New Folder\Cookies\front desk@coolsavings[1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@emarketmakers[2].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@focalex[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@free-banners[1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@interclick[1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front desk@kanoodle[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@lynxtrack[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front desk@media202[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@mediactivate[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front desk@mywebsearch[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@nbads[2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@nextag[2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front desk@optimost[1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@partner2profit[1].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@qnsr[1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@screensavers[1].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front desk@sexsearchcom[2].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@sextoysex[1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][2].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][2].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front [email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"][email protected][1].txt
C:\Front Office\New Folder\Cookies\front .txt"]desk@yfdmedia[1].txt

Edited by GoKarGo, 12 September 2007 - 12:02 PM.

  • 0

#13
GoKarGo
Posted 12 September 2007 - 12:06 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Sorry about the extra posts, there was a problem where they were posting blank. I thought maybe I was trying to put too much in at once.... so I split it in two. Please see Superantispyware results above.

I also was tring to tell you that I think you are an angel and I really appreciate all your help!!!

The computer is still taking a very long time to load, but once it gets going it seems to be working fine.

Deckard's System Scanner v20070905.67
Run by Donna Perrott on 2007-09-12 10:57:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
93: 2007-09-12 17:20:27 UTC - RP369 - Deckard's System Scanner Restore Point
92: 2007-09-12 16:10:42 UTC - RP368 - Installed SUPERAntiSpyware Free Edition
91: 2007-09-12 13:45:10 UTC - RP367 - Software Distribution Service 3.0
90: 2007-09-12 00:25:25 UTC - RP366 - ComboFix created restore point
89: 2007-09-11 23:24:51 UTC - RP365 - ComboFix created restore point


-- First Restore Point --
1: 2007-09-11 17:31:16 UTC - RP277 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Donna Perrott.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:57:39 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Donna Perrott\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\DONNAP~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE"
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [\\DONNA\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P39 "\\DONNA\EPSON Stylus Photo RX620 Series" /O6 "USB002" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170882246093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070911-180814-616 O2 - BHO: 0 - {E4843D15-1A10-491C-8D9B-6BAB4CB5D090} - C:\Program Files\Windows NT\wohuraki.dll (file missing)
backup-20070911-180814-826 O4 - HKLM\..\Run: [{63-39-93-37-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
backup-20070911-180814-836 O2 - BHO: (no name) - {D10A71DE-B2C5-49FD-921F-4B2548C2ABAA} - C:\WINDOWS\system32\jkhff.dll (file missing)
backup-20070911-180814-981 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\donnap~1\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 rtl8180 (Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver) - c:\windows\system32\drivers\rtl8180.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8180 Wireless LAN (Mini-)PCI NIC>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S2 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\SYSTEM32\winlogon.exe (pid 496)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 1904)
2004-03-18 10:26:48 114688 --a------ C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL <Not Verified; Logitech Inc.; Productivity Software Common Files>
2004-03-18 10:26:50 4608 --a------ C:\Program Files\Logitech\iTouch\itchhk.dll <Not Verified; Logitech Inc.; iTouch>
2004-03-18 10:26:12 5120 --a------ C:\Program Files\Logitech\iTouch\KbdHook.dll <Not Verified; Logitech Inc.; iTouch>
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2006-12-20 13:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>


-- Scheduled Tasks -------------------------------------------------------------

2007-09-12 10:56:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-12 10:07:39 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2006-12-22 21:00:00 564 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2004-07-13 15:09:44 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-08-12 and 2007-09-12 -----------------------------

2007-09-12 09:11:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-12 09:10:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-12 09:10:44 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\SUPERAntiSpyware.com
2007-09-12 09:09:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 18:34:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-11 18:34:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 13:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-09-11 13:18:45 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Grisoft
2007-09-11 11:59:41 0 d-------- C:\Program Files\SpywareBlaster
2007-09-11 08:59:38 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-11 08:59:38 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-09-11 08:59:38 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-09-11 08:59:38 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-09-11 08:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-11 08:59:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-11 08:59:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-11 08:59:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-11 08:59:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-09-11 08:59:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-11 08:59:36 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-10 10:19:38 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-31 10:01:45 0 d-------- C:\VundoFix Backups
2007-08-30 13:29:59 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Lavasoft
2007-08-30 13:29:44 0 d-------- C:\Program Files\Lavasoft
2007-08-30 10:29:01 0 d-------- C:\WINDOWS\pss
2007-08-24 13:15:26 0 d-------- C:\Program Files\Windows Defender
2007-08-24 11:55:46 0 dr-h----- C:\Documents and Settings\Donna Perrott\Recent
2007-08-24 09:17:02 0 d-------- C:\viruses
2007-08-23 14:57:12 0 d-------- C:\WINDOWS\system32\NtmsData
2007-08-23 10:39:13 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6
2007-08-23 09:49:35 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-23 09:44:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-23 09:44:02 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-08-23 09:31:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-08-23 09:30:55 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-08-23 09:25:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion


-- Find3M Report ---------------------------------------------------------------

2007-09-12 10:08:14 0 d-------- C:\Program Files\Common Files
2007-09-11 10:38:33 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\OpenOffice.org2
2007-08-28 13:17:15 0 d-------- C:\Documents and Settings\Donna Perrott\Application Data\Corel
2007-08-24 09:19:13 0 d-------- C:\Program Files\Windows NT
2007-08-23 14:47:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 14:46:25 0 d-------- C:\Program Files\Dell
2007-08-23 09:21:21 0 d-------- C:\Program Files\Yahoo!
2007-07-16 11:53:52 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 10:19 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/06/2003 10:07 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/09/2006 12:47 PM]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [12/11/2003 08:35 PM]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [10/07/2003 02:21 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [12/14/2006 10:17 AM]
"\\DONNA\EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [05/19/2004 02:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Donna Perrott\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\awvvw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2007-09-12 11:00:55 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 254 MiB / 42.44 MiB
Pagefile Memory (total/avail): 622.03 MiB / 200.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.98 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 21.27 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75FJA1 - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.

FW: Norton Internet Security v2004 (Symantec Corporation) Disabled
AV: AVG 7.5.484 v7.5.484 (GRISOFT)
AV: Norton AntiVirus v2004 (Symantec Corporation) Outdated

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Donna Perrott\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRONT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Donna Perrott
LOGONSERVER=\\FRONT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DONNAP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DONNAP~1\LOCALS~1\Temp
USERDOMAIN=FRONT
USERNAME=Donna Perrott
USERPROFILE=C:\Documents and Settings\Donna Perrott
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Donna Perrott (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
AVG Anti-Rootkit Beta --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Brother HL-5170DN --> "C:\Program Files\Brother\BRHL5170\IsUninst.exe" -f"C:\Program Files\Brother\BRHL5170\DeIsL1.isu" -cbruninst.dll
CC_ccProxyMSI --> MsiExec.exe /I{A398F2DC-D706-4bb2-AC38-5532CD229D08}
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Donna Perrott\Application Data\HouseCall 6.6\uninstaller.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark Software Uninstall --> C:\Program Files\Lexmark_HostCD\Install\Uninstall.exe
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{91AA4B1F-B918-4e0b-A304-F8D4EC5D7726}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}
Norton Internet Security --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\Common\unynss.exe
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
OpenOffice.org 2.0 --> MsiExec.exe /I{75852F49-2CAF-443F-B7C2-53DE5847DE56}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC Rater --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9AEEA40-F590-4EB5-B0CE-566E40931621}\setup.exe" -l0x9 removeall
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Stamps.com --> "C:\Documents and Settings\All Users\Application Data\{093493DE-0BEE-430B-B715-9C7066583472}\stamps.exe" REMOVE=TRUE MODIFY=FALSE
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
The Print Shop 12 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DD1FE66-5536-41E3-B786-70068887B3F4}\setup.exe" -l0x9 anything
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinFSC Commerce West California --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B941B400-7AC7-4B1E-9FED-49CF12C87EA1}\SETUP.exe" -l0x9 -uninst -removeonly
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3424 / Warning
Event Submitted/Written: 09/12/2007 10:03:00 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3408 / Warning
Event Submitted/Written: 09/11/2007 06:14:02 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3394 / Warning
Event Submitted/Written: 09/11/2007 04:33:59 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3379 / Warning
Event Submitted/Written: 09/11/2007 03:17:54 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3365 / Warning
Event Submitted/Written: 09/11/2007 03:03:07 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15851 / Warning
Event Submitted/Written: 09/12/2007 10:58:11 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {08DECAAD-4866-4BE4-A309-876688BBAB90}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15850 / Warning
Event Submitted/Written: 09/12/2007 10:58:11 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {5966FEF5-CE0A-4C79-9E5E-3BE04C0316FF}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15849 / Warning
Event Submitted/Written: 09/12/2007 10:58:11 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {B21499EC-0565-47F8-ACCD-7DA8039B59B6}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15848 / Warning
Event Submitted/Written: 09/12/2007 10:58:11 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {81DDDA27-22CE-4434-A9BF-774D4971E9E2}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02

Event Record #/Type15847 / Warning
Event Submitted/Written: 09/12/2007 10:58:10 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FRONT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FRONT27 can't undo changes that you allow.

For more information please see the following:
%FRONT275

Scan ID: {585488E8-4FF0-4710-89B7-5CF58C60DE31}

User: FRONT\Donna Perrott

Name: %FRONT271

ID: %FRONT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FRONT276

Alert Type: %FRONT278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-09-12 11:00:55 ------------

Edited by GoKarGo, 12 September 2007 - 12:45 PM.

  • 0

#14
Stamper19
Posted 12 September 2007 - 01:35 PM

Stamper19

    Expert

  • Expert
  • 1,992 posts
Hi GoKarGo,

I also was tring to tell you that I think you are an angel and I really appreciate all your help!!!

Thanks! Im certainly not an angel, but I am happy to be able to help you out :whistling: You'd be amazed how often people dont even say bother to say "thank you", which makes your kind words that much more appreciated.

I also saw that you had trouble posting. There is a bug on the boards that sometimes causes your posts not to show. When this happens just wrap your entire post in a quote box and that will fix it. To do that simply type your post, highlight the entire post, and then press the "wrap in quotes" button (it is the second button from the right under the "Fonts" droplist box.

As for your logs, things are looking pretty good. SuperAntiSpyware found only cookies. There is one thing I still want to fix, so lets do that now.

----------------------------------------------------------------

We are going to need to make some changes to your Windows Registry. Please copy to notepad, or print out all the directions below. It is important to follow the instructions carefully, as changes to the registry can seriously damage your system if not done correctly.

First we need to backup your registry.

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Information to include in your next post:
  • ComboFix Log

  • 0

#15
GoKarGo
Posted 12 September 2007 - 02:19 PM

GoKarGo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here we go:

ComboFix 07-09-10.6 - "Donna Perrott" 2007-09-12 13:04:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Donna Perrott\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 13:02 62,976,000 --a------ C:\backup.reg
2007-09-12 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-12 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-12 09:10 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-12 09:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 18:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-11 18:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 16:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 15:58 <DIR> d-------- C:\Deckard
2007-09-11 13:18 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-11 11:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-09-11 08:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-10 10:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-31 10:01 <DIR> d-------- C:\VundoFix Backups
2007-08-30 13:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-30 13:29 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Lavasoft
2007-08-30 10:29 <DIR> d-------- C:\WINDOWS\pss
2007-08-24 13:15 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-24 09:17 <DIR> d-------- C:\viruses
2007-08-23 14:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-08-23 10:40 94,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-08-23 10:39 <DIR> d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\HouseCall 6.6
2007-08-23 09:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo!
2007-08-23 09:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 11:51 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\OpenOffice.org2
2007-08-28 13:17 --------- d-------- C:\DOCUME~1\DONNAP~1\APPLIC~1\Corel
2007-08-24 13:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-23 14:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 14:46 --------- d-------- C:\Program Files\Dell
2007-08-23 09:21 --------- d-------- C:\Program Files\Yahoo!
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-16 11:53 20747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-07-16 11:53 --------- d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2007-05-09 14:18 173941 --a------ C:\Program Files\CA14C7DX.pdf
2007-05-07 11:36 105738 --a------ C:\Program Files\PrintViewDoc.pdf
.

((((((((((((((((((((((((((((( snapshot_2007-09-11_164207.64 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 29,696 2007-09-12 16:10:52 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 18,944 2007-09-12 16:10:52 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 65,024 2007-09-12 16:10:52 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
----a-w 6,144 2006-07-26 12:09:26 C:\WINDOWS\SYSTEM32\DRIVERS\anti_rkt.sys
----a-w 3,712 2006-07-26 12:09:20 C:\WINDOWS\SYSTEM32\DRIVERS\cleandrv.sys
----a-w 213,048 2005-05-24 18:27:16 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 18:29:00 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 18:29:00 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 22:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 22:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 12:47]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 20:35]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 14:21]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-14 10:17]
"\\DONNA\EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 14:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\DONNAP~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8180.SYS

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2004-07-13 22:09:44 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-09-12 17:07:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-12-23 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-09-12 20:06:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 13:08:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\DONNA\\EPSON Stylus Photo RX620 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9HA.EXE /P39 \"\\\\DONNA\\EPSON Stylus Photo RX620 Series\" /O6 \"USB002\" /M \"Stylus Photo RX620\""
.
Completion time: 2007-09-12 13:10:52
C:\ComboFix-quarantined-files.txt ... 2007-09-12 13:10
C:\ComboFix2.txt ... 2007-09-11 17:31
C:\ComboFix3.txt ... 2007-09-11 16:46
.
--- E O F ---
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP