Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help with Worm.Win32.NetSky virus [RESOLVED]

Started by TADontAsk , Oct 26 2007 07:07 PM

This topic is locked

#1
TADontAsk

Posted 26 October 2007 - 07:07 PM

Member

Member
16 posts

Hi, a virus has recently attacked my computer. I believe it came from a program called VideoAccessCodecInstall.exe. There are many Windows Security Popups that keep coming up, and one of them keeps saying I have the "Worm.Win32.NetSky" virus. Whatever I click on in these popups, it opens up to a website (http://scanner.adwar...m/5/?advid=1216 or some other remover product). They popup frequently enough that I can barely type this without being interrupted. It also keeps replacing my background with a red screen saying that my computer may be infected. I've posted my HijackThis log. Any help would be much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 9:06:11 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navw32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: MSVPS System - {6EB10F79-5E53-4F76-B146-409EFCDCB957} - C:\WINDOWS\movctrlfqd.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: The nssfrch - {DF0ACE0C-4A3F-4A1F-8676-BA16DEB23C70} - C:\WINDOWS\nssfrch.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bxsbang - {E60C7E24-41F0-41E3-9908-EC6B1F0A0F1F} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {D2694D28-A857-4BEA-9C85-75BC96858CB0} - C:\WINDOWS\ocgrep.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2
RatHat

Posted 27 October 2007 - 06:11 AM

Ex Malware Expert

Expert
7,829 posts

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.

OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading SELECT Show hidden files and folders.
UNCHECK the Hide protected operating system files (recommended) option.
UNCHECK the Hide extensions for known file types option.
Click Yes to confirm.
Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now while TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: MSVPS System - {6EB10F79-5E53-4F76-B146-409EFCDCB957} - C:\WINDOWS\movctrlfqd.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll (file missing)
O3 - Toolbar: The nssfrch - {DF0ACE0C-4A3F-4A1F-8676-BA16DEB23C70} - C:\WINDOWS\nssfrch.dll
O21 - SSODL: bxsbang - {E60C7E24-41F0-41E3-9908-EC6B1F0A0F1F} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {D2694D28-A857-4BEA-9C85-75BC96858CB0} - C:\WINDOWS\ocgrep.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next download OTMoveIt by OldTimer.

Save it to your desktop.
Double-click OTMoveIt.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\movctrlfqd.dll
C:\Program Files\Screensavers.com
C:\WINDOWS\nssfrch.dll
C:\WINDOWS\bxsbang.dll
C:\WINDOWS\ocgrep.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.
Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
Save the Notepad file to your Desktop as OTM.txt.
Close OTMoveIt

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And now please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finally, please create an Uninstall List from HijackThis:

Re-Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So in your next reply, please include the following:

OTM.txt
The Smitfraud report
The HijackThis Uninstall list
A fresh HijackThis log

Regards,
RatHat

#3
TADontAsk

Posted 27 October 2007 - 11:56 AM

Member

Topic Starter
Member
16 posts

Thank you for your reply! I ran Ad-Aware during through the evening and it seems to have removed the problem. And then I did an entire system scan with Norton this morning and it didn't find anything. But I still followed these steps to make sure nothing evil is hidden in here.

Unfortunately the first time I ran the OTMoveIt, it closed before I could paste anything from the results section. I ran it again, but the results are different now:

File/Folder C:\WINDOWS\movctrlfqd.dll not found.
File/Folder C:\Program Files\Screensavers.com not found.
File/Folder C:\WINDOWS\nssfrch.dll not found.
File/Folder C:\WINDOWS\bxsbang.dll not found.
File/Folder C:\WINDOWS\ocgrep.dll not found.

Created on 10/27/2007 13:45:51

The Smithfraud report

SmitFraudFix v2.242

Scan done at 13:48:53.84, Sat 10/27/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\kthemup.exe FOUND !
C:\WINDOWS\main_uninstaller.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nick\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/1000 CT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

The HijackThis Uninstall list

AC3Filter (remove only)
Ad-Aware 2007
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player Plugin
Adobe Reader 7.0
AIM 6
AOL Instant Messenger
AppCore
Apple Mobile Device Support
Apple Software Update
AutoCAD R14.0
BitLord 1.1
ccCommon
Component Framework
Creative MediaSource
DivX
DivX Player
DVD Profiler Version 2.4.0
EA SPORTS online 2006
ewido security suite
GSpot Codec Information Appliance
Half-Life
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
InterActual Player
iPod Updater 2004-10-20
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
Language pack for Ad-Aware SE
LimeWire 4.14.10
LiveReg (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Madden NFL 2004
Medal of Honor Allied Assault
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (1.0.6)
MSN Music Assistant
MySQL Server 5.0
Nero 7 Essentials
NHL06
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PowerDVD
Quicken 2007
QuickTime
R for Windows 2.4.0
RealPlayer
Registry Cleaner
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Sierra Utilities
SPBBC 32bit
S-PLUS 7.0
SPSS 12.0 for Windows Student Version
Spybot - Search & Destroy
SpywareBlaster v3.4
Strat-O-Matic CD-ROM Ver11.0
Strat-O-Matic CD-ROM Ver9.0
Symantec KB-DocID:2003093015493306
SymNet
The Movies™
The SAS System V8
the4400 Screen Saver
Ulead Disc-Direct SDK
Uniblue RegistryBooster 2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VDMSound 2.0.4
Viewpoint Media Player
Webshots Desktop
WebVideo Support
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinFast Entertainment Center(WDM Driver)
WinFast PVR
XviD MPEG-4 Video Codec

fresh HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:51:46 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: msmhost - {0928A89E-6C25-4A31-ACFE-131344D7A956} - C:\WINDOWS\msmhost.dll (file missing)
O21 - SSODL: msmdev - {938FC034-46D6-4956-B971-224162578EED} - C:\WINDOWS\msmdev.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you!

#4
RatHat

Posted 27 October 2007 - 05:40 PM

Ex Malware Expert

Expert
7,829 posts

Hi there,

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O21 - SSODL: msmhost - {0928A89E-6C25-4A31-ACFE-131344D7A956} - C:\WINDOWS\msmhost.dll (file missing)
O21 - SSODL: msmdev - {938FC034-46D6-4956-B971-224162578EED} - C:\WINDOWS\msmdev.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

BitLord 1.1
LimeWire 4.14.10
Viewpoint Media Player

Note: P2P programs are notorious for maware. Please ensure you uninstall them during this fix. If you re-install them later, you will be opening yourself up for reinfection.

Please note any other programs that you dont recognize in that list in your next response

Still in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a fresh HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Regards,
RatHat

#5
TADontAsk

Posted 27 October 2007 - 10:37 PM

Member

Topic Starter
Member
16 posts

Newest rapport report

SmitFraudFix v2.242

Scan done at 0:25:44.21, Sun 10/28/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

127.0.0.1 ar.atwola.com
127.0.0.1 empiremovies.com
127.0.0.1 xlonhcld.xlontech.net
127.0.0.1 VTOT.proxy.aol.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.aol.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\kthemup.exe Deleted
C:\WINDOWS\main_uninstaller.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AEE7348C-7B76-4E87-B073-BFAA1025457A}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Fresh HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:05 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6
RatHat

Posted 27 October 2007 - 10:59 PM

Ex Malware Expert

Expert
7,829 posts

Looking good!

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, DSS will open two Notepad files: main.txt and extra.txt
Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please run an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display the results if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post, and let me know how your computer is behaving now.

Regards,
RatHat

#7
TADontAsk

Posted 28 October 2007 - 07:34 AM

Member

Topic Starter
Member
16 posts

My computer has been running fine for the past 24 hours

Obviously just want to make sure its all 100%!

main.txt

Deckard's System Scanner v20071014.68
Run by Nick on 2007-10-28 01:36:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
69: 2007-10-28 05:36:41 UTC - RP720 - Deckard's System Scanner Restore Point
68: 2007-10-27 05:34:42 UTC - RP719 - Installed Ad-Aware 2007
67: 2007-10-27 00:01:14 UTC - RP718 - Uniblue RegistryBooster
66: 2007-10-26 23:25:52 UTC - RP717 - Removed J2SE Runtime Environment 5.0 Update 1
65: 2007-10-25 23:48:50 UTC - RP716 - System Checkpoint

-- First Restore Point --
1: 2007-07-31 00:40:59 UTC - RP652 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Nick.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:37:49 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Nick\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Nick.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20050613-205901-761 O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
backup-20050613-205901-844 O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
backup-20050802-205455-444 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
backup-20050802-205455-664 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
backup-20050802-205455-747 R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
backup-20050802-205455-839 O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevpl32.exe
backup-20071027-134342-171 O2 - BHO: MSVPS System - {6EB10F79-5E53-4F76-B146-409EFCDCB957} - C:\WINDOWS\movctrlfqd.dll
backup-20071027-134342-213 O3 - Toolbar: The nssfrch - {DF0ACE0C-4A3F-4A1F-8676-BA16DEB23C70} - C:\WINDOWS\nssfrch.dll
backup-20071027-134342-569 O21 - SSODL: ocgrep - {D2694D28-A857-4BEA-9C85-75BC96858CB0} - C:\WINDOWS\ocgrep.dll
backup-20071027-134342-993 O21 - SSODL: bxsbang - {E60C7E24-41F0-41E3-9908-EC6B1F0A0F1F} - C:\WINDOWS\bxsbang.dll
backup-20071028-001024-390 O21 - SSODL: msmdev - {938FC034-46D6-4956-B971-224162578EED} - C:\WINDOWS\msmdev.dll (file missing)
backup-20071028-001024-644 O21 - SSODL: msmhost - {0928A89E-6C25-4A31-ACFE-131344D7A956} - C:\WINDOWS\msmhost.dll (file missing)

-- File Associations -----------------------------------------------------------

.scr - AutoCADScript - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 WFIOCTL - c:\program files\winfast\wftvfm\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\4&2E98101C&0&20F0
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\4&2E98101C&0&20F0
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-10-26 18:55:43 620 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Nick.job

-- Files created between 2007-09-28 and 2007-10-28 -----------------------------

2007-10-27 13:48:58 2634 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 01:34:44 0 d-------- C:\Program Files\Lavasoft
2007-10-27 01:34:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-27 01:34:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 20:03:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 19:59:08 0 d-------- C:\Documents and Settings\Nick\Application Data\Uniblue
2007-10-26 19:26:28 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-26 19:25:00 0 d-------- C:\Documents and Settings\Nick\.SunDownloadManager
2007-10-26 18:49:23 0 d-------- C:\Program Files\Windows Sidebar
2007-10-26 18:48:19 0 d-------- C:\Program Files\Norton Internet Security
2007-10-26 18:16:24 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

-- Find3M Report ---------------------------------------------------------------

2007-10-28 01:38:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-28 00:25:00 0 d-------- C:\Program Files\Viewpoint
2007-10-28 00:24:14 0 d-------- C:\Program Files\LimeWire
2007-10-27 01:34:17 0 d-------- C:\Program Files\Common Files
2007-10-27 01:24:08 0 d-------- C:\Program Files\Symantec
2007-10-26 19:56:14 0 d-------- C:\Program Files\SpywareBlaster
2007-10-26 19:26:11 0 d-------- C:\Program Files\Java
2007-10-26 18:51:05 0 d-------- C:\Documents and Settings\Nick\Application Data\Symantec
2007-10-26 18:43:07 0 d-------- C:\Program Files\Norton AntiVirus
2007-09-27 18:32:41 0 d-------- C:\Program Files\iTunes
2007-09-27 18:32:30 0 d-------- C:\Program Files\iPod
2007-09-27 18:31:22 0 d-------- C:\Program Files\QuickTime
2007-09-27 18:29:31 0 d-------- C:\Program Files\Apple Software Update
2007-09-27 18:29:06 0 d-------- C:\Program Files\Common Files\Apple
2007-09-19 21:08:51 0 d-------- C:\Documents and Settings\Nick\Application Data\U3
2007-08-30 21:31:16 0 d-------- C:\Program Files\Common Files\SWF Studio
2007-08-28 20:36:36 0 d-------- C:\Program Files\AIM6
2007-08-28 20:36:07 0 d-------- C:\Program Files\Common Files\AOL

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
10/26/2007 06:49 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{722D2939-A14A-41A9-9EAC-AB8F4E295819}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 04:16 PM]
"nwiz"="nwiz.exe" [04/01/2005 04:16 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/01/2005 04:16 PM]
"RemoteControl"="C:\WINDOWS\system32\rmctrl.exe" [10/16/2000 09:37 AM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [03/12/2004 09:23 AM]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 01:07 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 02:32 PM]
"Aim6"="" []

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2/4/2006 4:59:59 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\LaunchU3.exe -a

*Newly Created Service* - COMHOST

-- Hosts -----------------------------------------------------------------------

127.0.0.1 ar.atwola.com
127.0.0.1 empiremovies.com
127.0.0.1 xlonhcld.xlontech.net
127.0.0.1 VTOT.proxy.aol.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.aol.com

-- End of Deckard's System Scanner: finished at 2007-10-28 01:38:47 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1022.73 MiB / 579.86 MiB
Pagefile Memory (total/avail): 2461.28 MiB / 2092.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 78.13 GiB total, 13.34 GiB free.
D: is Fixed (NTFS) - 57.26 GiB total, 15.4 GiB free.
E: is Removable (No Media)
F: is CDROM (CDFS)
G: is CDROM (CDFS)
H: is Fixed (NTFS) - 108.18 GiB total, 53 GiB free.

\\.\PHYSICALDRIVE2 - IOMEGA ZIP 250

\\.\PHYSICALDRIVE1 - Maxtor 5T060H6 - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 57.26 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD2000JD-00GBB0 - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 78.13 GiB - C:
\PARTITION1 - Installable File System - 108.18 GiB - H:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2004\\mvp2004.exe"="C:\\Program Files\\EA SPORTS\\MVP Baseball 2004\\mvp2004.exe:*:Enabled:mvp2004"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Documents and Settings\\Nick\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Nick\\Desktop\\utorrent.exe:*:Enabled:utorrent"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nick\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nick
LOGONSERVER=\\COMPUTA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Insightful\splus70\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\VDMSound\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nick\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nick\LOCALS~1\Temp
USERDOMAIN=COMPUTA
USERNAME=Nick
USERPROFILE=C:\Documents and Settings\Nick
VDMSPath=C:\Program Files\VDMSound\
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Nick (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AutoCAD R14.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\AutoCAD R14\DeIsL1.isu"
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DVD Profiler Version 2.4.0 --> "C:\Program Files\InterVocative Software\DVD Profiler\unins000.exe"
EA SPORTS online 2006 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
ewido security suite --> C:\Program Files\ewido\security suite\Uninstall.exe
GSpot Codec Information Appliance --> C:\Program Files\GSpot\Uninstall.exe
Half-Life --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Half-Life\Uninst.isu -c"C:\SIERRA\Half-Life\HLUNINST.DLL"
HijackThis 1.99.1 --> C:\DOCUME~1\Nick\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPod Updater 2004-10-20 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{510D7787-C1B3-472C-86DF-C06273DAE60B} /l1033
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Language pack for Ad-Aware SE --> D:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\Langs\UNWISE.EXE D:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\Langs\INSTALL.LOG
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Madden NFL 2004 --> C:\Program Files\EA SPORTS\Madden NFL 2004\EAUninstall.exe
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (1.0.6) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.6 (en-US)"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MySQL Server 5.0 --> MsiExec.exe /I{3CB15F63-7D48-4694-B68E-3D6E25D5C932}
Nero 7 Essentials --> MsiExec.exe /I{9BB69D0F-1369-4DBD-99A9-1BC228ED1033}
NHL06 --> C:\Program Files\EA SPORTS\NHL06\EAUninstall.exe
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
R for Windows 2.4.0 --> "C:\Program Files\R\R-2.4.0\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Cleaner --> "C:\Program Files\Registry Cleaner Trial\unins000.exe"
S-PLUS 7.0 --> MsiExec.exe /I{2DC713B2-CE05-4CF7-868E-21916BD408CC}
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SPSS 12.0 for Windows Student Version --> MsiExec.exe /I{43622C01-15D3-4E62-9AD9-BD7C007FD452}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.4 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Strat-O-Matic CD-ROM Ver11.0 --> C:\CDROMBB\UNWISE.EXE C:\CDROMBB\INSTALL.LOG
Strat-O-Matic CD-ROM Ver9.0 --> D:\cdrombb\UNWISE.EXE D:\cdrombb\INSTALL.LOG
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
The Movies™ --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0556F885-2415-4666-B53E-33727E46AEA1} /l1033
The SAS System V8 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SAS Institute\SAS\V8\UNINSTAL.ISU" -c"C:\Program Files\SAS Institute\SAS\V8\uninst.dll"
the4400 Screen Saver --> C:\WINDOWS\system32\the4400.scr /u
Ulead Disc-Direct SDK --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D2C1E44-7685-4D05-8342-B0DC6422FA47}\Setup.exe" -l0x9
VDMSound 2.0.4 --> MsiExec.exe /I{8ECBE643-8230-11D5-9D6B-00A024112F81}
Webshots Desktop --> C:\PROGRA~1\Webshots\UNWISE.EXE C:\PROGRA~1\Webshots\INSTALL.LOG
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinFast Entertainment Center(WDM Driver) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE4AA694-815A-4045-BD49-C94F2BED7458}\setup.exe"
WinFast PVR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C882DE6B-1482-42D6-A7C2-A9F946EDBAF6}\setup.exe"
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type17574 / Error
Event Submitted/Written: 10/28/2007 01:38:09 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type17573 / Error
Event Submitted/Written: 10/28/2007 01:38:07 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type17572 / Error
Event Submitted/Written: 10/28/2007 01:38:07 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type17571 / Error
Event Submitted/Written: 10/28/2007 01:38:07 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type16588 / Error
Event Submitted/Written: 10/04/2007 09:03:30 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error Internet connection not detected.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type14870 / Warning
Event Submitted/Written: 10/28/2007 01:37:57 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP Officejet 9100 series PS for Windows NT x86 Version-3 was added or updated. Files:- PSCRIPT5.DLL, PS5UI.DLL, HPW9100S.PPD, PSCRIPT.HLP, hpoj9100.cfg, hpcdmc32.dll, hpbcfgre.dll, hpzui2id.dll, hpzsr2id.dll, HPNRA.EXE, HPBNRAC2.DLL, HPBMINI.DLL, HPCEAC05.HPI, HPBMIAPI.DLL, HPBOID.EXE, HPBOIDPS.DLL, HPBPRO.EXE, HPBPROPS.DLL, HPPAPTS0.DLL, HPPASNM0.DLL, HPPAPML0.DLL, HPZIPM12.EXE, HPZIPT12.DLL, HPZINW12.EXE, HPZIPR12.DLL, HPZISN12.DLL, HPJCMN2U.DLL, HPJIPX1U.DLL, HPZIDR12.DLL, hpzst2id.dll, hpzev2id.dll, hpw9100d.ini, hpw9100s.xml, hpzsc2id.dtd, hpzhl2id.hlp, PSCRIPT.NTF, hpzfn2id.ntf, hpz3l2id.dll.

Event Record #/Type14869 / Warning
Event Submitted/Written: 10/28/2007 01:31:11 AM
Event ID/Source: 52 / Disk
Event Description:
The driver has detected that device \Device\Harddisk1\DR1 has predicted that it will fail.
Immediately back up your data and replace your hard disk drive. A failure
may be imminent.

Event Record #/Type14865 / Error
Event Submitted/Written: 10/28/2007 00:32:53 AM
Event ID/Source: 4321 / NetBT
Event Description:
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.106.
The machine with the IP address 192.168.1.107 did not allow the name to be claimed by
this machine.

Event Record #/Type14842 / Error
Event Submitted/Written: 10/28/2007 00:29:35 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type14841 / Error
Event Submitted/Written: 10/28/2007 00:29:04 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

-- End of Deckard's System Scanner: finished at 2007-10-28 01:38:47 ------------

Kapersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 28, 2007 9:29:41 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/10/2007
Kaspersky Anti-Virus database records: 447265
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 662403
Number of viruses found: 22
Number of infected objects: 44
Number of suspicious objects: 2
Duration of the scan process: 07:30:57

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Nick\LOCALS~1\Temp\ac8zt2\main_uninstaller.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib12 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib13 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib14 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib15 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib16 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0D15DD15-DCA1-4EA1-9D7F-E0AA9F2B165B}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{288BBB22-DAE4-4433-B33F-74327647E0A8}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{5C08AB46-978A-46C8-8C9F-07DA3FF08AC5}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-10-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\30563BA2.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B880862.DLL Infected: not-a-virus:AdWare.Win32.IWon.f skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F956209.new Infected: Trojan-Downloader.Win32.WinShow.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe/submithook.dll Infected: Trojan-Downloader.Win32.Agent.az skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe Gentee: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75876734.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7723116F.js Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77360D59.exe Infected: Trojan-Downloader.Win32.Realtens.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8BBEDCBE-D3B5-42C0-9B1D-5609851174E0}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8BBEDCBE-D3B5-42C0-9B1D-5609851174E0}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A7F3B505.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\cert8.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\formhistory.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\history.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\key3.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\parent.lock Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Nick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\MSHist012007102820071029\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20071027-134342-171.dll Infected: not-a-virus:AdWare.Win32.Vapsup.iv skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\computa.err Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe/stream/data0003 Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP718\A0072508.ocx Infected: Trojan.Win32.Agent.cjl skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072568.dll Infected: not-a-virus:AdWare.Win32.Vapsup.iv skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072647.exe Infected: not-a-virus:AdWare.Win32.Vapsup.ix skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072648.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe/stream/data0003 Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\sys

#8
RatHat

Posted 28 October 2007 - 09:16 PM

Ex Malware Expert

Expert
7,829 posts

Hi there,

Please re-run OTMoveIt:

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Viewpoint
C:\Program Files\LimeWire

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.
Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
Save the Notepad file to your Desktop as OTM.txt.
Close OTMoveIt

Open Notepad
Copy the contents of the codebox below using CTRL C

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{722D2939-A14A-41A9-9EAC-AB8F4E295819}]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\StubInstaller.exe"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Nick\\Desktop\\utorrent.exe"=-

Now return to Notepad and use CTRL V to paste the script
Verify that you have pasted the complete script
Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
Locate FixReg.reg on your desktop
Double click to run, and when prompted Allow the file to merge with your registry
OK your way out.

After that, Reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Java is out of date. Please update to the latest version here (Java Runtime Environment (JRE) 6 Update 3). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.

Click Start, Control Panel, Add/Remove Programs.
Delete all Java updates except Java ™ 6 Update 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finally, the Kaspersky log is not complete. If you saved it, please post it again, if not, please run another scan as outlined before, and post me the complete contents, along with a fresh HijackThis log, the contents of OTM.txt, and let me know if you are having any more problems.

Regards,
RatHat

#9
TADontAsk

Posted 28 October 2007 - 09:57 PM

Member

Topic Starter
Member
16 posts

Still not having any problems! Sorry about the incomplete Kaspersky log.

Complete Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 28, 2007 9:29:41 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/10/2007
Kaspersky Anti-Virus database records: 447265
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 662403
Number of viruses found: 22
Number of infected objects: 44
Number of suspicious objects: 2
Duration of the scan process: 07:30:57

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Nick\LOCALS~1\Temp\ac8zt2\main_uninstaller.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib12 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib13 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib14 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib15 Object is locked skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ib16 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0D15DD15-DCA1-4EA1-9D7F-E0AA9F2B165B}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{288BBB22-DAE4-4433-B33F-74327647E0A8}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{5C08AB46-978A-46C8-8C9F-07DA3FF08AC5}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-10-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\30563BA2.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B880862.DLL Infected: not-a-virus:AdWare.Win32.IWon.f skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F956209.new Infected: Trojan-Downloader.Win32.WinShow.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe/submithook.dll Infected: Trojan-Downloader.Win32.Agent.az skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe Gentee: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6F9E5FFE.exe CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75876734.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7723116F.js Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77360D59.exe Infected: Trojan-Downloader.Win32.Realtens.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8BBEDCBE-D3B5-42C0-9B1D-5609851174E0}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8BBEDCBE-D3B5-42C0-9B1D-5609851174E0}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A7F3B505.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\63329BDCd01 RarSFX: infected - 2 skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\cert8.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\formhistory.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\history.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\key3.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\1q4bgj1f.Nick\parent.lock Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Nick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nick\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\MSHist012007102820071029\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20071027-134342-171.dll Infected: not-a-virus:AdWare.Win32.Vapsup.iv skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\computa.err Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe/stream/data0003 Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP716\A0071908.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP718\A0072508.ocx Infected: Trojan.Win32.Agent.cjl skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072568.dll Infected: not-a-virus:AdWare.Win32.Vapsup.iv skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072647.exe Infected: not-a-virus:AdWare.Win32.Vapsup.ix skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072648.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe/stream/data0003 Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dxe skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\A0072748.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETE1D4.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\bxsbang.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ix skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\nssfrch.dll Infected: not-a-virus:AdWare.Win32.Vapsup.iv skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\ocgrep.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ix skipped
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5\49EVOXMR\mt[1].htm Infected: Trojan-Clicker.JS.Linker.j skipped
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5\6LHUZYLO\IAicm[1].cab/Iaicm.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.a skipped
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5\6LHUZYLO\IAicm[1].cab CAB: infected - 1 skipped
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5\S9URW9AR\ad[3].htm/ad.htm Suspicious: Trojan-Downloader.JS.gen skipped
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5\S9URW9AR\ad[3].htm CHM: suspicious - 1 skipped
D:\Program Files\LimeWire\2.9.8\limeshop.exe/data0126 Infected: not-a-virus:AdWare.Win32.TopMoxie.c skipped
D:\Program Files\LimeWire\2.9.8\limeshop.exe NSIS: infected - 1 skipped
D:\Program Files\topMoxie\HTML\limeshopstuffupdate.exe/data0127 Infected: not-a-virus:AdWare.Win32.TopMoxie.e skipped
D:\Program Files\topMoxie\HTML\limeshopstuffupdate.exe NSIS: infected - 1 skipped
D:\Save\My Documents\Sounds\WxBugSetup27.exe/WISE0042.BIN Infected: not-a-virus:AdWare.Win32.Gator.1023 skipped
D:\Save\My Documents\Sounds\WxBugSetup27.exe WiseSFX: infected - 1 skipped
D:\Save\My Documents\Sounds\WxBugSetup27.exe WiseSFX Dropper: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{949363A5-1D94-454D-98A0-6ADB2B882A9B}\RP257\A0021912.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.507 skipped
D:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP719\A0072559.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
D:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\change.log Object is locked skipped
D:\WIN2K\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{9D974664-313D-4888-A1B6-58CC7C9E5ACB}\RP720\change.log Object is locked skipped

Scan process completed.

OTM.txt

C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Components moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player moved successfully.
C:\Program Files\Viewpoint moved successfully.
C:\Program Files\LimeWire\Shared moved successfully.
C:\Program Files\LimeWire moved successfully.

Created on 10/28/2007 23:37:31

Fresh HiJack This report

Logfile of HijackThis v1.99.1
Scan saved at 11:56:46 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10
RatHat

Posted 28 October 2007 - 11:42 PM

Ex Malware Expert

Expert
7,829 posts

Hey Nick,

Just about done here I think!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Re-run OTMoveIt:

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\Program Files\LimeWire
D:\Program Files\topMoxie
D:\Documents and Settings\Nick Kolupanowich.NICK-PGLM6Q32RX\Local Settings\Temporary Internet Files\Content.IE5
D:\Save\My Documents\Sounds\WxBugSetup27.exe
D:\WIN2K\system32\psexec.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.
Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
Save the Notepad file to your Desktop as OTM.txt.
Close OTMoveIt

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Regards,
RatHat

#11
TADontAsk

Posted 29 October 2007 - 07:28 PM

Member

Topic Starter
Member
16 posts

I am having some trouble running OTMoveIt. The program either simply isn't working, or it is just going to take hours to move the temporary internet explorer files. It took only a few seconds the previous couple of times I have tried it, so when it was taking a few minutes I tried closing it, but then when I closed out of it I got one of those "wasn't responding" messages. I re-started and then tried again, letting it run for a few hours, but it still showed no signs of finishing. Is it just going to take longer than this? I have done everything else from your last message.

Off topic, I have had another minor problem over the past couple of years, and just wanted to know if you had any thoughts how I could solve it. Every few months, when I start my computer I get a blue screen that tells me I have an error and that I need to run a chkdsk or that some new software might have a virus (I haven't gotten this in a while so I don't remember the exact message. What seems to be the problem, is that for whatever reason, every once in a while my computer seems to boot up using another drive. So I have to press F8 when starting up, and select the correct drive. And then I have to re-start and go into options, and select the correct drive as the first option. After that it works perfectly fine, except after another few months it does the same thing. I always shut down my computer the correct way, so I don't know what causes this, nor how to permanently fix it. I don't know if this is an issue, but there is also a message when starting up that reads "BIOS not installed". Not sure if its related. If you're not sure, don't worry about it, its more of an annoyance than a real problem.

Just let me know if I need to wait a while to run OTMoveIt, and I will give it another try tomorrow.

Thanks again!!

#12
RatHat

Posted 29 October 2007 - 07:45 PM

Ex Malware Expert

Expert
7,829 posts

Re-run OTMoveIt:

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\Program Files\LimeWire
D:\Program Files\topMoxie
D:\Save\My Documents\Sounds\WxBugSetup27.exe
D:\WIN2K\system32\psexec.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.
Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
Save the Notepad file to your Desktop as OTM.txt.
Close OTMoveIt

Click Internet Options
Under the General tab, Browsing History, click Delete
Under Temporary Internet Files, click Delete files...
Click Yes to confirm
Click Close, then OK to get out of the dialog

After that reset your restore points as outlined before.

Off topic, I have had another minor problem over the past couple of years, and just wanted to know if you had any thoughts how I could solve it. Every few months, when I start my computer I get a blue screen that tells me I have an error and that I need to run a chkdsk or that some new software might have a virus (I haven't gotten this in a while so I don't remember the exact message. What seems to be the problem, is that for whatever reason, every once in a while my computer seems to boot up using another drive. So I have to press F8 when starting up, and select the correct drive. And then I have to re-start and go into options, and select the correct drive as the first option. After that it works perfectly fine, except after another few months it does the same thing. I always shut down my computer the correct way, so I don't know what causes this, nor how to permanently fix it. I don't know if this is an issue, but there is also a message when starting up that reads "BIOS not installed". Not sure if its related. If you're not sure, don't worry about it, its more of an annoyance than a real problem.

I am not sure on this but will look into it. It may be a question that should be posted on the Techs board.

Regards,
RatHat

#13
TADontAsk

Posted 29 October 2007 - 09:10 PM

Member

Topic Starter
Member
16 posts

OTM.txt

File/Folder D:\Program Files\LimeWire not found.
File/Folder D:\Program Files\topMoxie not found.
D:\Save\My Documents\Sounds\WxBugSetup27.exe moved successfully.
D:\WIN2K\system32\psexec.exe moved successfully.

Created on 10/29/2007 23:05:15

HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:08:52 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\OTMoveIt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

The rest of your steps are also complete. I will also wait to hear about the other topic before posting it on the tech board, but no worries if you can't get it, I really appreicate the effort. Thanks!

Nick

#14
RatHat

Posted 29 October 2007 - 09:27 PM

Ex Malware Expert

Expert
7,829 posts

Hey Nick,

OK! Well done, your log is clean again!

Now regarding the other problem, I think it would be best to post the question in the Operating Systems forum here

Before we go, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Firstly, lets clean up the tools we have used:

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot.
Then you can delete OTMoveIt.exe and the folder C:\_OTMoveIt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next lets Reset and Re-enable your System Restore again.

Turn OFF System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
CHECK the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

Click Start.
Select Settings and then Control Panel.
Select Automatic Updates.
Click Automatic (recommended)
Choose a day and a time when you know the computer will be on and connected to the internet.
Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 3). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.

Click Start, Control Panel, Add/Remove Programs.
Delete all Java updates except Java ™ 6 Update 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next lets check the security of important software to see whether you need to download any additional updates.

Program Updates

Go to the Secunia Software Inspector website
Click the Start Now button, allow the Java applet to load, and open to the scan page
Make sure you check the Enable thorough system inspection located under the Start button
Click the Start button to run the scan (this will take about five minutes)
When the scan has completed, read the report and update your programs as shown

Note: Links to the program updates are included in the report

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. You can run all of these at the same time without any problem or conflicts, so I would advise getting all of them.

Anti Spyware

AVG Anti Spyware to remove any spyware infecting your computer.
SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

Comodo is a free fully functional firewall
ZoneLabs Zone Alarm Free Version personal firewall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

Trillian or,
Miranda-IM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners

CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Last up, lets try to speed up you machine a bit:

Run Disk Cleanup:

Click Start then All Programmes, then Accessories, then system tools. Locate Disk Cleanup and click to run it. Clean all your drives, then reboot your computer.

Next run a defrag: Start then All Programmes, then Accessories, then system tools. Locate Disk Defragmenter and click to run it. Highlight a drive, and click Defragment. Repeat for each of your drives.

Now, download, install and run Tune Up 2007 Trial

Run Tune Up disc clean up
Run Tune Up registry clean up

After this, disable your anti virus programme then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot. Check the anti virus programme is running normally again.

This will have cleared the drives of obsolete software errors. Now a couple of suggestions for making the most of the free trial:

Click optimize and improve, then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot.
After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.
After the reboot, click optimize then system optimizer to run system advisor.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat

#15
TADontAsk

Posted 30 October 2007 - 06:18 PM

Member

Topic Starter
Member
16 posts

I am having some awful luck with OTMoveIt recently. I tried "clean up" and it just keeps freezing and not responding when I try and close it. All I could think of was rebooting and trying again, but that still failed. Then I deleted it and tried installing again without success. I also have been unable to delete the _OTMoveIt folder, as it won't delete certain files. I'm guessing that has to do with being unable to run the program.