Help with Worm.Win32.NetSky virus [RESOLVED]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Help with Worm.Win32.NetSky virus [RESOLVED]

#1 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 01 December 2007 - 07:11 PM

Hi. Two days agos my computer got infected with this virus. I kept getting Windows Security Popups , and one of them keeps saying I have the "Worm.Win32.NetSky" virus. Whatever I click on in these popups, it opens up to a website (http://scanner.adwar...m/5/?advid=1216 or some other remover product).
I also got this image, which took over my left monitor

It went away after I ran AVG in Safemode, came back again, and went away after I ran Panda ActiveScan and rebooted.

I followed the instructions in the "You must read this before posting...." topic. The only problem I had was that even after following the steps exactly, AVG didn't create a report. It found around 40 Tracking cookies.

Note: As I was typing that last sentence, AVG has found 2 pieces of Malware, called Downloader.Zlob.cpx, Downlaoder.Agent.dag I told it to clean & quarantine and Ill restart when I finished this post.

Here are the logs I have:

SUPERAntiSpyware Scan Log
Generated 12/01/2007 at 11:18 PM

Application Version : 3.6.1000

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 02:19:54

Memory items scanned : 573
Memory threats detected : 1
Registry items scanned : 6109
Registry threats detected : 32
File items scanned : 123938
File threats detected : 28

Trojan.Net-GOR/NMC
C:\WINDOWS\GORMET.DLL
C:\WINDOWS\GORMET.DLL

Trojan.Downloader-Zlob/HDTIP
HKLM\Software\Classes\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\InprocServer32
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\InprocServer32#ThreadingModel
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\ProgID
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\Programmable
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\TypeLib
HKCR\CLSID\{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}\VersionIndependentProgID
C:\WINDOWS\HDTIP.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36}
HKCR\hdtip.ToolBar.1
HKCR\hdtip.ToolBar.1\CLSID
HKCR\hdtip.ToolBar
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}\1.0
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}\1.0\0
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}\1.0\0\win32
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}\1.0\FLAGS
HKCR\TypeLib\{1F57BE82-1F34-4BB1-8C5C-2E464E842816}\1.0\HELPDIR

Adware.Tracking Cookie
C:\Documents and Settings\Em\Cookies\em@protect.trustedantivirus[1].txt
C:\Documents and Settings\Em\Cookies\em@trustedantivirus[1].txt
C:\Documents and Settings\Em\Cookies\em@615-OS[2].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-1606980848-1417001333-839522115-1003\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Trojan.DNSChanger-Codec
HKCR\VAC.Video
HKCR\VAC.Video\CLSID

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer

Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger
C:\Documents and Settings\Em\Favorites\Error Cleaner.url
C:\Documents and Settings\Em\Favorites\Privacy Protector.url
C:\Documents and Settings\Em\Favorites\Spyware&Malware Protection.url

Trojan.Downloader/NMC-Rich
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec#uninstallString
C:\Program Files\RichVideoCodec\install.ico
C:\Program Files\RichVideoCodec\Uninstall.exe
C:\Program Files\RichVideoCodec

Trojan.Net-MU/Gen
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName

Trojan.Net-MSV/VPS-H
C:\WINDOWS\WERBETXDP.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\T0AZX48R\hd[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\4H67WXMZ\3[1].htm
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\4H67WXMZ\line[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\4H67WXMZ\cd[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\T0AZX48R\pointer[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\0PEF4TIV\logo[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\T0AZX48R\dvd[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\0PEF4TIV\list[1].gif
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\93C5ZXNV\detector[1].htm

ActiveScan
Incident Status Location

Adware:Adware/NewMediaCodec Not disinfected C:\WINDOWS\msmhost.dll
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\y41tpts1.default\cookies.txt[.com.com/]
Virus:Trj/Agent.GOT Disinfected C:\WINDOWS\main_uninstaller.exe
Spyware:Cookie/Statcounter Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/WebtrendsLive Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/bravenetA Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Apmebf Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Cd Freaks Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Serving-sys Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Hitslink Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Xiti Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Tradedoubler Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Casalemedia Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adtech Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.adtech.de/]
Spyware:Cookie/FastClick Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Overture Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.overture.com/]
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Bfast Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Falkag Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Zedo Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adserver Not disinfected E:\Documents and Settings\Em\Application Data\Mozilla\Firefox\Profiles\nxufplkn.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/YieldManager Not disinfected E:\Documents and Settings\Em\Cookies\em@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected E:\Documents and Settings\Em\Cookies\em@adrevolver[1].txt
Spyware:Cookie/Adtech Not disinfected E:\Documents and Settings\Em\Cookies\em@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected E:\Documents and Settings\Em\Cookies\em@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected E:\Documents and Settings\Em\Cookies\em@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected E:\Documents and Settings\Em\Cookies\em@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected E:\Documents and Settings\Em\Cookies\em@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected E:\Documents and Settings\Em\Cookies\em@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected E:\Documents and Settings\Em\Cookies\em@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected E:\Documents and Settings\Em\Cookies\em@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected E:\Documents and Settings\Em\Cookies\em@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected E:\Documents and Settings\Em\Cookies\em@serving-sys[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected E:\Documents and Settings\Em\Cookies\em@statse.webtrendslive[2].txt
Hacktool:Rootkit/Toegu Not disinfected E:\Documents and Settings\Em\Local Settings\Temp\mdxgthkn.sys
Virus:Trj/Downloader.MDW Not disinfected E:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\YHI1K3MN\popcaploader_v10[1].cab[PopCapLoader.dll]
Adware:Adware/MediaCodec Not disinfected E:\My Downloads\VideoAccessCodecInstall.exe[ttvbonnwr.exe]

HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:49 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHotKeys] "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" -STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: gormet - {5807CFDB-511B-4E6A-8977-E85A5354B163} - C:\WINDOWS\gormet.dll (file missing)
O21 - SSODL: msmhost - {C1111D10-B6A5-4826-B38E-098F0FC285D9} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {D2DBDC49-AB1E-4E31-B510-9602A25F0FA5} - C:\WINDOWS\msmdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8198 bytes

Uninstall List
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Integrated Runtime (AIR)
Adobe Integrated Runtime (AIR)
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Stock Photos 1.0
Age of Mythology
AnyDVD
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
AVG Anti-Spyware 7.5
Azureus Vuze
CCleaner (remove only)
Creative Prodikeys PC-MIDI
Creative System Information
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Documents To Go
DVD Audio Extractor 4.1.1
DVD Shrink 3.2
eBay Desktop
eBay Desktop
ExplorerXP (remove only)
FREE Hi-Q Recorder 1.9
Free WMA to MP3 Converter 1.16
GameSpy Arcade
GetRight
GoldWave v5.10
Google Earth
Google Talk (remove only)
Guitar Pro 5.2
HijackThis 2.0.2
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
LimeWire 4.14.8
Logon Loader 3.0
Magic DVD Ripper V5.0.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Rise Of Nations
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
mIRC
Mobipocket Reader 6.0
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML4 Parser
Nero 7 Ultra Edition
Palm
Panda ActiveScan
Peggle (remove only)
Picasa 2
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Sony Ericsson PC Suite
Sony Media Manager 2.2
Sony Vegas 7.0
SUPERAntiSpyware Free Edition
TagTuner 1.9
ULi M5289 SATA Controller Driver
ULi PCI to AGP Controller Driver
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB933493)
Update for Outlook 2007 Junk Email Filter (kb943559)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Word 2007 (KB934173)
VeryPDF PDF2Word v3.0
WebVideo Support
Winamp
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Royale Noir Theme Pack
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger

#2 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 01 December 2007 - 08:35 PM

Hello Emily27 and welcome to geekstogo

my name is andrewuk and i will be helping you with your problems!

I am going over your log now, and I'll be back soon with instructions on how to proceed.

In the meantime, I'd be grateful if you would note the following:

1. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.

2. It's often worth reading through these instructions and printing them for ease of reference.

3. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

4. If, during our fix, you believe your pc is running fine and decide to leave - please see point (1) or leave a note to that effect on the thread so that we can close the thread down as resolved.

5. Please reply to this thread. Do not start a new topic.

#3 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 02 December 2007 - 12:04 AM

Hi Emily27

i can see a few infections on your machine, but before we remove them i need some more information on a potential infection

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

andrewuk

#4 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 02 December 2007 - 12:11 AM

SmitFraudFix v2.256

Scan done at 17:08:09.93, Sun 12/02/2007
Run from C:\Documents and Settings\Em\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\main_uninstaller.exe FOUND !
C:\WINDOWS\monhop.exe FOUND !
C:\WINDOWS\msmdev.dll FOUND !
C:\WINDOWS\msmhost.dll FOUND !
C:\WINDOWS\nsduo.dll FOUND !
C:\WINDOWS\pmkret.dll FOUND !
C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Em

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Em\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Em\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

EDIT: I just found VideoAccessCodecInstall.exe in my downloads folder, although I don't remember when/why I would have downloaded it.

#5 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 02 December 2007 - 08:29 AM

Hi Emily27

yep, that log found some infections that i suspected. so in this post we will remove that infection and see where we stand with the rest of the malware. just a note - we will not have removed all the infections yet.

====STEP1====
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri) to your Desktop....it is important that you download and replace the prior smitfraudfix you downloaded, it is updated constantly.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

====STEP2====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

====STEP3====
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

so, in your next reply could i see:
1. the smitfraudfix log
2. the kaspersky scan log
3. a new hijackthis log

andrewuk

#6 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 04 December 2007 - 05:25 AM

Sorry this took so long:

SmitFraudFix v2.256

Scan done at 10:43:20.68, Mon 12/03/2007
Run from C:\Documents and Settings\Em\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\main_uninstaller.exe Deleted
C:\WINDOWS\monhop.exe Deleted
C:\WINDOWS\msmdev.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{FE75F340-596F-4755-A386-922F9E44DF91}]
C:\WINDOWS\msmhost.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{03B320F7-3B5F-4842-8025-DBCD9BA5F48C}]
C:\WINDOWS\pmkret.dll Deleted
pmkret not found.
C:\WINDOWS\privacy_danger\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:31 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHotKeys] "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" -STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6865 bytes

I've attached the Kaspersky log as it was too long to fit into one post...sorry, it's too big, I'll have to fix it later, life calls.

Ok, here's the Kaspersky report, but I've only included the files marked as infected. The report is 2.2mb, and over 90% of the files scanned where from my secondary drive, which actually has less on it. If you need the whole thing maybe I could email it to you?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 10:03:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/12/2007
Kaspersky Anti-Virus database records: 471661
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 189045
Number of viruses found: 10
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:23:48

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Em\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe NSIS: infected - 4 skipped
E:\My Downloads\VideoAccessCodecInstall.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.epb skipped
E:\My Downloads\VideoAccessCodecInstall.exe/stream Infected: Trojan-Downloader.Win32.Zlob.epb skipped
E:\My Downloads\VideoAccessCodecInstall.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP244\A0030443.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

Scan process completed.

#7 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 04 December 2007 - 09:30 AM

Hi Emily27

you did not get all the infected items in the kaspersky scan posted......there are 34 items and you only posted 15.....i am guessing it got cut off by the length of the post......could you try again please.

andrewuk

#8 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 04 December 2007 - 05:13 PM

I must have missed some of the infected files when I went through the report the first time. Here's all 34 infected files.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 04, 2007 10:03:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/12/2007
Kaspersky Anti-Virus database records: 471661
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 189045
Number of viruses found: 10
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:23:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Em\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Em\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP247\A0030538.dll Infected: not-a-virus:AdWare.Win32.Vapsup.pg skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030671.dll Infected: Trojan-Downloader.Win32.Agent.dag skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030688.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030717.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030735.dll Infected: Trojan-Downloader.Win32.Agent.dag skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030739.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030747.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030749.dll Infected: Trojan-Downloader.Win32.Agent.dag skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030753.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP249\A0030845.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP249\A0030853.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP249\A0030871.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030967.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030972.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030980.dll Infected: not-a-virus:AdWare.Win32.Agent.kc skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030982.exe Infected: Trojan-Downloader.Win32.Zlob.cpx skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030984.dll Infected: Trojan-Downloader.Win32.Agent.dag skipped
C:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030985.dll Infected: not-a-virus:AdWare.Win32.Agent.jw skipped
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
E:\My Downloads\Software\mirc63.exe NSIS: infected - 4 skipped
E:\My Downloads\VideoAccessCodecInstall.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.epb skipped
E:\My Downloads\VideoAccessCodecInstall.exe/stream Infected: Trojan-Downloader.Win32.Zlob.epb skipped
E:\My Downloads\VideoAccessCodecInstall.exe NSIS: infected - 2 skipped
E:\System Volume Information\_restore{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP244\A0030443.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

#9 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 05 December 2007 - 11:01 AM

Quote

Hi Emily27

Quote

EDIT: I just found VideoAccessCodecInstall.exe in my downloads folder, although I don't remember when/why I would have downloaded it.

......and it is infected, so we will remove it.

the smitfraudfix removed some of the infection, the kaspersky scan found some more. the infections in the restore points we will clear at the end, the infections in the smitfraudfix are safe.

so, in this post we will delete those infections and then take a deeper look into your machine to make sure everything is clear.

a word of warning first - the crack folder E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE quite probably holds the source of how you got infected in the first place, and such activities do expose your machine to a higher risk of infection....my advice would be for you to delete it. However, it is your option.

====STEP1====

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

E:\My Downloads\VideoAccessCodecInstall.exe

if you wish to delete the crack folder then add E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE to the OTMoveIT list above, such that the list would read:
E:\My Downloads\VideoAccessCodecInstall.exe
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

====STEP2====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So, in your next reply could i see:
1. the OTMoveIT log
2. the DSS logs
3. some idea of how your machine is running now

andrewuk

#10 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 06 December 2007 - 04:54 PM

OTMoveIt

E:\My Downloads\VideoAccessCodecInstall.exe moved successfully.
E:\My Downloads\Cracked Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE moved successfully.

Created on 12/07/2007 09:38:09

DSS Main

Deckard's System Scanner v20071014.68
Run by Em on 2007-12-07 09:39:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
11: 2007-12-06 22:39:56 UTC - RP254 - Deckard's System Scanner Restore Point
10: 2007-12-06 05:34:18 UTC - RP253 - System Checkpoint
9: 2007-12-04 10:02:07 UTC - RP252 - System Checkpoint
8: 2007-12-03 09:38:52 UTC - RP251 - System Checkpoint
7: 2007-12-02 09:07:28 UTC - RP250 - Installed Windows Media Format 9 Series Runtime Setup

-- First Restore Point --
1: 2007-12-01 05:17:21 UTC - RP244 - 1/12 trying to remove worm

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 10.62 GiB (less than 15%) free.

-- HijackThis (run as Em.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:20 AM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Em\Desktop\cleaning\dss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\upgrepl.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Em.exe
c:\program files\common files\softwin\bitdefender scan server\bdss.exe

O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHotKeys] "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" -STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6836 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 WPN111 (Wireless USB 2.0 Adapter with RangeMax Service) - c:\windows\system32\drivers\wpn111.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&33BC18FA&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&33BC18FA&0&0
Service: flpydisk

-- Scheduled Tasks -------------------------------------------------------------

2007-11-28 14:08:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-03 10:52:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-03 10:52:16 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-02 20:47:27 0 d-------- C:\WINDOWS\pss
2007-12-02 20:17:32 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-12-02 20:17:32 47360 --a------ C:\Documents and Settings\Em\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-12-02 20:17:31 0 d-------- C:\Documents and Settings\Em\Application Data\Vso
2007-12-02 20:17:29 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2007-12-02 20:17:29 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2007-12-02 20:17:29 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2007-12-02 20:17:27 0 d-------- C:\Program Files\VSO
2007-12-02 17:08:19 2650 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-02 17:07:41 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-02 17:07:41 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-02 17:07:41 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-02 17:07:41 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-02 17:07:41 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-02 12:07:44 0 d-------- C:\Program Files\Trend Micro
2007-12-01 23:31:47 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 20:55:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-01 20:54:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-01 20:54:57 0 d-------- C:\Documents and Settings\Em\Application Data\SUPERAntiSpyware.com
2007-12-01 20:54:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:34:25 0 d-------- C:\Documents and Settings\Em\Application Data\Grisoft
2007-12-01 16:34:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 23:09:23 0 d-------- C:\Program Files\Common Files\xing shared
2007-11-30 14:08:37 0 dr-h----- C:\Documents and Settings\Em\Recent
2007-11-30 12:02:16 0 d-------- C:\Program Files\CCleaner
2007-11-30 11:56:40 0 d-------- C:\Documents and Settings\Em\Application Data\Bitdefender
2007-11-30 11:51:16 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-11-30 11:45:43 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-11-30 11:41:42 624640 --a------ C:\WINDOWS\system32\aswBoot.exe <Not Verified; ; avast! Antivirus>
2007-11-29 00:58:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-29 00:56:14 0 d-------- C:\Program Files\Yahoo!
2007-11-24 22:20:16 0 d-------- C:\Program Files\DVD Audio Extractor
2007-11-24 08:13:24 0 d-------- C:\Program Files\Real
2007-11-24 08:13:24 0 d-------- C:\Program Files\Common Files\Real
2007-11-24 08:13:04 0 d-------- C:\Documents and Settings\Em\Application Data\Real
2007-11-22 20:17:00 0 d-------- C:\Program Files\GameSpy Arcade
2007-11-22 20:11:17 0 d-------- C:\Program Files\Microsoft Games
2007-11-22 00:42:00 0 d-------- C:\Documents and Settings\Em\Application Data\Stardock
2007-11-21 23:43:07 187392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2007-11-21 23:43:05 0 d-------- C:\Program Files\WinCustomize
2007-11-21 23:39:39 0 d-------- C:\Program Files\Common Files\Stardock
2007-11-21 23:39:38 0 d-------- C:\Program Files\Stardock
2007-11-21 23:29:02 0 d-------- C:\Program Files\ExplorerXP
2007-11-16 13:42:43 0 d-------- C:\Program Files\Guitar Pro 5
2007-11-13 18:50:58 0 d-------- C:\Documents and Settings\Em\Application Data\Nero
2007-11-10 15:18:09 0 d-------- C:\Program Files\Logon Loader
2007-11-10 14:27:23 441 --a------ C:\bootbak.bat
2007-11-09 01:39:18 0 d-------- C:\Program Files\RoyaleNoirThemePack

-- Find3M Report ---------------------------------------------------------------

2007-12-07 09:40:00 0 d-------- C:\Documents and Settings\Em\Application Data\Azureus
2007-12-07 09:39:33 0 d-------- C:\Program Files\GetRight
2007-12-03 16:31:06 0 d-------- C:\Documents and Settings\Em\Application Data\LimeWire
2007-12-02 20:17:37 34 --a------ C:\Documents and Settings\Em\Application Data\pcouffin.log
2007-12-02 20:17:32 1144 --a------ C:\Documents and Settings\Em\Application Data\pcouffin.inf
2007-12-02 20:17:32 7887 --a------ C:\Documents and Settings\Em\Application Data\pcouffin.cat
2007-12-02 10:42:46 0 d-------- C:\Program Files\ULI5289
2007-12-02 10:40:51 0 d-------- C:\Program Files\Palm
2007-12-02 10:36:24 0 d-------- C:\Program Files\iTunes
2007-12-02 10:28:19 0 d-------- C:\Program Files\Common Files\DataViz
2007-12-02 09:55:26 0 d-------- C:\Program Files\Winamp
2007-12-01 20:54:45 0 d-------- C:\Program Files\Common Files
2007-11-30 14:31:51 0 d-------- C:\Program Files\BFG
2007-11-22 00:18:59 2273792 --a------ C:\WINDOWS\system32\logonuiX.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-21 16:32:27 0 d-------- C:\Program Files\Java
2007-11-20 15:44:59 0 d-------- C:\Program Files\SlySoft
2007-11-10 15:08:07 2193664 --a------ C:\WINDOWS\system32\kernel1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 07:50:36 0 d-------- C:\Program Files\Documents To Go
2007-10-30 22:57:45 0 d-------- C:\Program Files\Azureus
2007-10-24 22:27:40 0 d-------- C:\Documents and Settings\Em\Application Data\Adobe
2007-10-21 19:26:58 0 d-------- C:\Program Files\Picasa2
2007-10-21 19:24:14 0 d-------- C:\Program Files\Google
2007-10-18 20:12:44 0 d-------- C:\Documents and Settings\Em\Application Data\com.ebay.sandimas.public-beta
2007-10-18 20:06:41 0 d-------- C:\Program Files\Common Files\Adobe AIR
2007-10-17 22:31:18 0 d-------- C:\Program Files\YouTube Downloader
2007-10-14 17:39:29 0 d-------- C:\Program Files\iPod
2007-10-08 18:29:13 0 d-------- C:\Program Files\VeryPDF PDF2Word v3.0
2007-09-18 05:23:00 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-18 05:23:00 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-18 05:22:58 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-18 05:22:58 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALi5289"="C:\Program Files\ULI5289\ALi5289.exe" [03/10/2005 05:56 PM]
"SoundMan"="SOUNDMAN.EXE" [12/22/2004 08:09 PM C:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [08/06/2005 02:07 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]
"CTHotKeys"="C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" [08/18/2005 12:51 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 08:22 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 07:24 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 08:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:56 PM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [11/12/2007 04:07 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Em\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [8/6/2005 2:07:30 AM]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [8/1/2007 12:22:18 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Em^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Em\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

-- End of Deckard's System Scanner: finished at 2007-12-07 09:42:30 ------------

DSS Extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 1023.48 MiB / 352.79 MiB
Pagefile Memory (total/avail): 2460.59 MiB / 1813.22 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.58 MiB

C: is Fixed (NTFS) - 149.03 GiB total, 10.62 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 152.66 GiB total, 80.02 GiB free.

\\.\PHYSICALDRIVE1 - Maxtor 6L160P0 - 152.66 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 152.66 GiB - E:

\\.\PHYSICALDRIVE0 - ST3160812A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.03 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Bitdefender Antivirus v8.0 (Softwin) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\GetRight\\getright.exe"="C:\\Program Files\\GetRight\\getright.exe:*:Enabled:GetRight® Download Manager. www.GetRight.com"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"="C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe:*:Enabled:Age of Mythology"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Em\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=EMILY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Em
LOGONSERVER=\\EMILY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\GetRight;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Em\LOCALS~1\Temp
TMP=C:\DOCUME~1\Em\LOCALS~1\Temp
USERDOMAIN=EMILY
USERNAME=Em
USERPROFILE=C:\Documents and Settings\Em
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI DisableNXShowUI

-- User Profiles ---------------------------------------------------------------

Em (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DF952AD-25A3-4810-9DC7-6EB05B63D051}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DF952AD-25A3-4810-9DC7-6EB05B63D051}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9019B5A3-CE40-404A-9B5B-B88520B2F53B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9019B5A3-CE40-404A-9B5B-B88520B2F53B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D68E8E71-E935-46B5-9EC5-C68B5D5A6D7D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D68E8E71-E935-46B5-9EC5-C68B5D5A6D7D}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Integrated Runtime (AIR) --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0.5\Adobe AIR Setup.exe -arp:uninstall
Adobe Integrated Runtime (AIR) --> MsiExec.exe /I{199FC15D-2E06-47BE-B3EA-CA086FCB94CF}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Age of Mythology --> "C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{86EC42B5-346E-4BAB-948D-58E021EA4BD1}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ConvertXtoDVD 2.2.3.258h --> "C:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
Creative Prodikeys PC-MIDI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{987946DE-D6BC-4703-B178-1649CEE2CF93}\SETUP.EXE" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
DVD Audio Extractor 4.1.1 --> "C:\Program Files\DVD Audio Extractor\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
ExplorerXP (remove only) --> C:\Program Files\ExplorerXP\Uninst.exe
FREE Hi-Q Recorder 1.9 --> "C:\Program Files\FREE Hi-Q Recorder\unins000.exe"
Free WMA to MP3 Converter 1.16 --> "C:\Program Files\Free WMA to MP3 Converter\unins000.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
GetRight --> "C:\Program Files\GetRight\unins000.exe"
GoldWave v5.10 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.10" "C:\Program Files\GoldWave\unstall.log"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
Logon Loader 3.0 --> C:\Program Files\Logon Loader\uninst.exe
Magic DVD Ripper V5.0.1 --> "C:\Program Files\MagicDVDRipper\unins000.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Rise Of Nations --> "C:\Program Files\Microsoft Games\Rise of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mobipocket Reader 6.0 --> MsiExec.exe /I{ED386A62-2BA2-4544-A723-5DFFDC283F6A}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 7 Ultra Edition --> MsiExec.exe /I{6D6C1253-F5A2-4E0C-9070-F3C1176C1033}
Palm --> MsiExec.exe /X{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Peggle (remove only) --> C:\Program Files\Peggle\Uninstall.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Security Update for Excel 2007 (KB936509) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Sony Ericsson PC Suite --> MsiExec.exe /I{50F90522-2ACE-434E-9987-F42A5F06208F}
Sony Media Manager 2.2 --> MsiExec.exe /X{C9E129BC-27D3-436E-BAAC-4CE81E0962F1}
Sony Vegas 7.0 --> MsiExec.exe /X{96965E6C-41DB-4E0A-BC65-D92381D51D2A}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TagTuner 1.9 --> "C:\Program Files\TagTuner\unins000.exe"
ULi M5289 SATA Controller Driver --> C:\WINDOWS\System32\unM5289.EXE C:\WINDOWS\IsUninst.exe -y -fC:\WINDOWS\System32\ALiM5289.isu
ULi PCI to AGP Controller Driver --> C:\WINDOWS\System32\UnAGP.EXE C:\WINDOWS\IsUninst.exe -y -fC:\WINDOWS\System32\ALiAGP.isu
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB933493) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {23F2FF76-ABCD-421D-9860-0D0B2999D028}
Update for Outlook 2007 Junk Email Filter (kb943559) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {2BE2B020-CE6A-4AD1-8291-2B881CF923B6}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
VeryPDF PDF2Word v3.0 --> "C:\Program Files\VeryPDF PDF2Word v3.0\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows XP Royale Noir Theme Pack --> "C:\Program Files\RoyaleNoirThemePack\Uninstall.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type1568 / Error
Event Submitted/Written: 12/06/2007 08:04:43 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1567 / Error
Event Submitted/Written: 12/06/2007 08:04:42 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1564 / Error
Event Submitted/Written: 12/05/2007 03:55:21 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1563 / Error
Event Submitted/Written: 12/05/2007 03:55:19 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type1560 / Error
Event Submitted/Written: 12/05/2007 10:01:23 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type13105 / Error
Event Submitted/Written: 12/07/2007 09:41:40 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type13104 / Error
Event Submitted/Written: 12/07/2007 09:41:40 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2

Event Record #/Type13094 / Warning
Event Submitted/Written: 12/07/2007 09:34:45 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type13088 / Error
Event Submitted/Written: 12/07/2007 09:25:52 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type13087 / Error
Event Submitted/Written: 12/07/2007 09:25:52 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2

-- End of Deckard's System Scanner: finished at 2007-12-07 09:42:30 ------------

My machine is running the way it was before I started getting all of the pop ups and spyware warnings, but that doesn't mean it's clean. I'd like to remove any remaining infections. Thanks for the help!

#11 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 07 December 2007 - 12:57 PM

Quote

Hi Emily27

Quote

My machine is running the way it was before I started getting all of the pop ups and spyware warnings, but that doesn't mean it's clean. I'd like to remove any remaining infections. Thanks for the help!

sure - thats the aim here, i was just seeing if there were any outward signs of an infection

i want to scan a file and lets do another scan

====STEP1====

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\kernel1.exe

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal

andrewuk

====STEP2====

i am assuming you still have SUPERantispyware on your machine, if not.....Download scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

So, i your next reply could i see:
1. the Jotti scan log
2. the Superantispyware scan log

andrewuk

#12 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 08 December 2007 - 03:35 AM

Virustotal Log

Antivirus Version Last Update Result
AhnLab-V3 2007.12.8.0 2007.12.07 -
AntiVir 7.6.0.40 2007.12.07 -
Authentium 4.93.8 2007.12.07 -
Avast 4.7.1098.0 2007.12.07 -
AVG 7.5.0.503 2007.12.07 -
BitDefender 7.2 2007.12.08 -
CAT-QuickHeal 9.00 2007.12.08 -
ClamAV 0.91.2 2007.12.08 -
DrWeb 4.44.0.09170 2007.12.08 -
eSafe 7.0.15.0 2007.12.06 -
eTrust-Vet 31.3.5361 2007.12.08 -
Ewido 4.0 2007.12.07 -
FileAdvisor 1 2007.12.08 -
Fortinet 3.14.0.0 2007.12.08 -
F-Prot 4.4.2.54 2007.12.07 -
F-Secure 6.70.13030.0 2007.12.08 -
Ikarus T3.1.1.12 2007.12.08 -
Kaspersky 7.0.0.125 2007.12.08 -
McAfee 5181 2007.12.08 -
Microsoft 1.3007 2007.12.08 -
NOD32v2 2711 2007.12.07 -
Norman 5.80.02 2007.12.07 -
Panda 9.0.0.4 2007.12.07 -
Prevx1 V2 2007.12.08 -
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.08 -
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.08 -
TheHacker 6.2.9.153 2007.12.07 -
VBA32 3.12.2.5 2007.12.07 -
VirusBuster 4.3.26:9 2007.12.07 -
Webwasher-Gateway 6.6.2 2007.12.08 Win32.Malware.gen!80 (suspicious)

SUPERAntiSpyware Scan Log
Generated 12/08/2007 at 06:41 PM

Application Version : 3.6.1000

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 03:40:22

Memory items scanned : 598
Memory threats detected : 0
Registry items scanned : 6098
Registry threats detected : 10
File items scanned : 125845
File threats detected : 25

Trojan.Net-MSV/VPS
HKLM\Software\Classes\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\InprocServer32
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\InprocServer32#ThreadingModel
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\ProgID
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\Programmable
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\TypeLib
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\VersionIndependentProgID
C:\WINDOWS\NSDUO.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030688.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030739.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030753.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP249\A0030853.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030967.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030980.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Em\Cookies\em@adopt.specificclick[1].txt
C:\Documents and Settings\Em\Cookies\em@adopt.euroclick[2].txt
C:\Documents and Settings\Em\Cookies\em@doubleclick[1].txt
C:\Documents and Settings\Em\Cookies\em@2o7[2].txt
C:\Documents and Settings\Em\Cookies\em@adtech[1].txt
C:\Documents and Settings\Em\Cookies\em@windowsmedia[1].txt
C:\Documents and Settings\Em\Cookies\em@overture[1].txt
C:\Documents and Settings\Em\Cookies\em@specificclick[1].txt
C:\Documents and Settings\Em\Cookies\em@msnportal.112.2o7[1].txt
C:\Documents and Settings\Em\Cookies\em@atdmt[2].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-1606980848-1417001333-839522115-1003\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Trojan.Net-MSV/VPS-H
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP247\A0030534.DLL

Trojan.Net-MSM/NMC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030671.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030735.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP248\A0030749.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030984.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EF7B86E4-5116-4524-A81F-EF287FE0DA30}\RP250\A0030985.DLL

Trojan.Downloader/Media-Codec
C:\_OTMOVEIT\MOVEDFILES\MY DOWNLOADS\VIDEOACCESSCODECINSTALL.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Em\Local Settings\Temporary Internet Files\Content.IE5\GUUPT6OK\main[2].htm

#13 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 09 December 2007 - 08:39 AM

Hi Emily27

looks like we are almost there - many of the infections in the spyware scan were in restore points which we will clean out later, or temp files or safely quarantined.....but there still seems to be stubbon traces of smitfraud, and that file you scanned was potentially bad.

so, in this post we will look into that potentially bad file and do another smitfraud scan.

====STEP1==== C:\WINDOWS\system32\kernel1.exe

The Jotti scan was not conclusive enough to call this definately bad, nor definately good.

do you remember downloading this file back on the 10th November? do you have StileXP or TuneUp Utilities?

could you find the file and right-click on the file and tell me what it says, try also under the version tab on properties.

you may have to unhide files to find it:

Click Start

Open My Computer

Select the Tools menu and click Folder Options

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK

====STEP2====

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

So, in your next reply could i see:
1. any ideas on this C:\WINDOWS\system32\kernel1.exe file
2. the smitfraudfix scan
3. a new hijackthis log

andrewuk

#14 Emily27

Group: Member
Posts: 11
Joined: 30-November 07

Posted 09 December 2007 - 09:05 AM

andrewuk, on Dec 10 2007, 01:39 AM, said:

So, in your next reply could i see:
1. any ideas on this C:\WINDOWS\system32\kernel1.exe file

On November 10 I downloaded a bunch of XP modding software, for changing the boot and login screens. Should I use OTMoveIt to remove the files? I don't use them anyway.

andrewuk, on Dec 10 2007, 01:39 AM, said:

2. the smitfraudfix scan

SmitFraudFix v2.256

Scan done at 1:57:17.14, Mon 12/10/2007
Run from C:\Documents and Settings\Em\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Em

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Em\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Em\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEEAA7-69B3-4335-A833-D58C22C150AA}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

andrewuk, on Dec 10 2007, 01:39 AM, said:

3. a new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:56 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHotKeys] "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" -STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6778 bytes

#15 andrewuk

Group: Malware Removal
Posts: 5,297
Joined: 18-August 07

Posted 09 December 2007 - 01:49 PM

Quote

Hi Emily27

Quote

On November 10 I downloaded a bunch of XP modding software, for changing the boot and login screens. Should I use OTMoveIt to remove the files? I don't use them anyway.

yes, if you dont need them, then remove them......but dont use OTMoveIT, remove the files manually. i dont think they are infected, you downloaded them a long time before your infections became apparent.

now onto your current infection - the last scan did find any sign of it, so the superantispyware scan cleaned it all out. So we will remove a final entry in the hijackthis log and do an online scan to confirm all is gone

====STEP1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

====STEP2====
i know this takes a long time, but lets confirm everything that is not quarantined or sitting in restore points is clean:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

====STEP3====
and lets take a final look into your machine:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So, in your next reply can i see:
1. the kaspersky online scan log (or at least a list of the infected items)
2. the 2 DSS logs

......if there is too much information to post in one reply, you may need to spread it over 2 replies

andrewuk

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Help with Worm.Win32.NetSky virus [RESOLVED] - Geeks to Go Forums