Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

AdvancedCleaner [CLOSED]

Started by paul_r_jacobs , Jan 26 2008 04:58 PM

This topic is locked

#1
paul_r_jacobs

Posted 26 January 2008 - 04:58 PM

Member

Member
12 posts

My system is infected with AdvancedCleaner and seemingly a number of other bogus Malware products. Several sessions with CA personnel have gotten me nowhere. I'm hoping I can get come help here.

#2
paul_r_jacobs

Posted 26 January 2008 - 05:21 PM

Member

Topic Starter
Member
12 posts

Logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:04 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caav.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavGUIScan.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www3.ca.com/v...p...rats.A&ad=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [6c44b7af] rundll32.exe "C:\WINDOWS\system32\kgdnoqfq.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: AutoTBar.exe
O4 - Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...23.9/ttinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yeevnpun.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4363 bytes

#3
paul_r_jacobs

Posted 26 January 2008 - 06:47 PM

Member

Topic Starter
Member
12 posts

Sorry about the bump :-( Didn't read the posting stuff right away....

#4
sage5

Posted 31 January 2008 - 12:30 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi paul_r_jacobs ,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.

First, a question:

I see that the log you posted was performed in Safe Mode.
Is this because the machine will not start in Normal Mode?

If it will:
Please download the following & save to your Desktop:
RogueRemover by RubberDucky
Deckard's System Scanner

Double-click rr-free-setup.exe to begin installing the program.
Follow the setup instructions for installation.
Double-click the RogueRemover icon on your desktop.
Once the program runs, select Check for Updates.
When prompted, select Check for Updates.
If prompted again, click Download to receive the latest updates.
When completed, close the update window.
Next, click Scan
If it detects anything, select to remove all objects found.
Close RogueRemover

Run Deckard's System Scanner:

Close all other windows before proceeding.
Double click on the dss.exe file on your Desktop and follow the prompts.
Scans will run, and 2 text files will open in Notepad.
Close both of the text files.

These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

If it will not:
Run HijackThis.

Click the Do a system scan only button.
Check the boxes for the all the entries listed below:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [6c44b7af] rundll32.exe "C:\WINDOWS\system32\kgdnoqfq.dll",b
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yeevnpun.exe

Now close all windows other than HijackThis and click Fix Checked.
Close HijackThis.

Remove folders & files:

Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
AdvancedCleaner Free
AdvancedCleaner
Please take note of any other programs that you don't recognise in that list, and include them in your next response
Using Windows Explorer, (to get there right-click your Start button and go to "Explore"), delete these folders, (if present):
C:\Program Files\AdvancedCleaner Free
Delete these files, (if present):
C:\WINDOWS\system32\yeevnpun.exe
C:\WINDOWS\system32\kgdnoqfq.dll

Try to reboot into Normal mode.
If it will restart, go to the "If it will" instructions above. & post the 2 logs asked for there.

Cheers,

sage5

#5
paul_r_jacobs

Posted 01 February 2008 - 06:12 PM

Member

Topic Starter
Member
12 posts

Rogue Remover didn't find anything. Hope the below helps. Thank you VERY much....

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 503.52 MiB / 339.02 MiB
Pagefile Memory (total/avail): 847.12 MiB / 761.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.68 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 68.96 GiB total, 40.55 GiB free.
D: is Fixed (FAT32) - 5.55 GiB total, 0.96 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST380012A - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 5.56 GiB - D:
\PARTITION1 (bootable) - Installable File System - 68.96 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: CA Anti-Virus v8.3.0.1 (CA, Inc.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1154815383\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1154815383\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Nexon\\Common\\nmservice.exe"="C:\\Program Files\\Nexon\\Common\\nmservice.exe:*:Enabled:Nexon Messenger Core"
"C:\\Program Files\\Real\\RealOne Player\\trueplay.exe"="C:\\Program Files\\Real\\RealOne Player\\trueplay.exe:*:Disabled:RealOne Player"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\1154815383\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1154815383\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mplay\\Crazy Arcade\\CA.exe"="C:\\Program Files\\Mplay\\Crazy Arcade\\CA.exe:*:Enabled:Crazy Arcade Client"
"C:\\Program Files\\Mplay\\Crazy Arcade\\NMCOSrv.exe"="C:\\Program Files\\Mplay\\Crazy Arcade\\NMCOSrv.exe:*:Enabled:NexonMessenger Core"
"C:\\Program Files\\Mplay\\Crazy Arcade\\NewPatcher.exe"="C:\\Program Files\\Mplay\\Crazy Arcade\\NewPatcher.exe:*:Enabled:Nexon Game Launcher"
"C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\gvuvhieg.exe"="C:\\WINDOWS\\system32\\gvu"
"C:\\WINDOWS\\system32\\nnbniter.exe"="C:\\WINDOWS\\system32\\nnb"
"C:\\WINDOWS\\system32\\cnuejpie.exe"="C:\\WINDOWS\\system32\\cnu"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\WINDOWS\\system32\\yeevnpun.exe"="C:\\WINDOWS\\system32\\yee"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\pwgcxdgx.exe"="C:\\WINDOWS\\system32\\pwg"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YONGSKOMRO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\YONGSKOMRO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=YONGSKOMRO
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Yong (admin)
Alex (admin)
rachel (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 /removeonly -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 /removeonly -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 /removeonly -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 /removeonly -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
CA Anti-Spyware --> MsiExec.exe /X{609B0E8F-0E98-46BF-85F9-7123D1022D84}
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
CA Pest Patrol Realtime Protection --> MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
Crazy Arcade --> C:\Program Files\Mplay\Crazy Arcade\uninstall.exe
CreativeProjects -->
Director -->
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photo and Imaging 2.0 - Photosmart Cameras --> MsiExec.exe /X{5D7F0A0E-369E-46C0-9F99-FAB21A064781}
HPImageZone --> MsiExec.exe /X{11946FA8-329A-4DDF-B867-A32781FED8EE}
HPIZ Fix2 -->
hpmdtab -->
HpSdpAppCoreApp -->
HPSystemDiagnostics -->
InstantShare -->
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kazaa 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{38C76428-6C9C-4CC6-B747-3AB6A4770225}\Setup.exe" -l0x9 --AddRemove
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LimeWire 4.12.14 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft ASP.NET codename "Atlas" --> MsiExec.exe /I{082BDF7B-4810-4599-BF0D-E3AC44EC8524}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Netegrity SiteMinder SDK v6.0 SP2 --> "C:\Program Files\netegrity\sdk\install_config_info\nete-sdk-uninstall\uninstall.exe"
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NVIDIA Gart Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
PC Pitstop Optimize 1.5 --> "C:\Program Files\PCPitstop\Optimize\unins000.exe"
PhotoGallery -->
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pivot Stickfigure Animator --> MsiExec.exe /I{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}
PrintScreen -->
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
PSShortcutsP -->
QFolder -->
Quicken 2003 New User Edition -->
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickProjects -->
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Screensavers Installer --> "C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SkinsHP1 -->
SkinsHP2 -->
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Sims Unleashed --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.exe" -l0009
toolkit --> c:\Windows\HPTK\unhptkit.exe
TrayApp -->
Unload -->
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WebFldrs XP -->
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\F78795BBB376EE09\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\Zune_5C792572E2EB15B00F2D4CE98DE51A7BE4520011\Zune.inf
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"
Zune --> MsiExec.exe /X{ED55BFEF-90F3-4926-9536-D94FDBBF65DC}

-- Application Event Log -------------------------------------------------------

Event Record #/Type732 / Error
Event Submitted/Written: 01/29/2008 08:20:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.3243, fault address 0x0006b278.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type729 / Error
Event Submitted/Written: 01/29/2008 07:02:27 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application NewPatcher.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type717 / Warning
Event Submitted/Written: 01/28/2008 02:32:16 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{446DBFFA-4088-48E3-8932-74316BA4CAE4}', feature 'iTunes' failed during request for component '{E8A1D3E2-F5D3-4B24-AB93-52F7E602A235}'

Event Record #/Type716 / Warning
Event Submitted/Written: 01/28/2008 02:32:16 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{446DBFFA-4088-48E3-8932-74316BA4CAE4}', feature 'iTunes', component '{C08B990C-B647-4700-8D9D-68E62B841B72}' failed. The resource 'C:\Program Files\iTunes\iTunesHelper.exe' does not exist.

Event Record #/Type697 / Error
Event Submitted/Written: 01/26/2008 10:14:15 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application OPXPApp.exe, version 0.0.0.0, faulting module atsc51.dll, version 6.1.5.0, fault address 0x0000b483.
Error in creating result PEAP-TLV in response to received PEAP-TLV (OPXPApp.exe!ld!)

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type8313 / Error
Event Submitted/Written: 02/01/2008 05:04:10 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Fips
intelppm
SASDIFSV
SASKUTIL
VET-FILT
VET-REC
VETEFILE
VETMONNT

Event Record #/Type8312 / Error
Event Submitted/Written: 02/01/2008 05:03:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type8288 / Error
Event Submitted/Written: 02/01/2008 03:03:44 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%2

Event Record #/Type8287 / Error
Event Submitted/Written: 02/01/2008 03:03:44 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type8283 / Error
Event Submitted/Written: 01/31/2008 09:46:26 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {F81CD990-910B-4BBF-9CB3-6A77F3D697B3}.
The error:
"%%2"
Happened while starting this command:
C:\Program Files\Windows Live\Messenger\msnmsgr.exe -Embedding

-- End of Deckard's System Scanner: finished at 2008-02-01 17:09:58 ------------

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-01 17:06:47
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.

-- Last 5 Restore Point(s) --
15: 2008-01-31 00:55:54 UTC - RP845 - System Checkpoint
14: 2008-01-29 05:02:13 UTC - RP844 - System Checkpoint
13: 2008-01-27 18:03:05 UTC - RP843 - Installed SUPERAntiSpyware Free Edition
12: 2008-01-27 04:18:07 UTC - RP842 - System Checkpoint
11: 2008-01-24 22:48:19 UTC - RP841 - System Checkpoint

-- First Restore Point --
1: 2008-01-13 00:10:56 UTC - RP831 - Removed Kazaa 3.0

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:51 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www3.ca.com/v...p...rats.A&ad=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0012BF4C-48F4-43D9-8AC6-0B779555350B} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {1a15ef80-c9b7-009b-4c84-e54af647283b} - {b382746f-a45e-48c4-b900-7b9c08fe51a1} - C:\WINDOWS\system32\ayytscmw.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [6c44b7af] rundll32.exe "C:\WINDOWS\system32\jdnsrxhw.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: AutoTBar.exe
O4 - Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...23.9/ttinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqppno - urqppno.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\pwgcxdgx.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5186 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080113-121641-723 F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe
backup-20080113-122801-713 F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
backup-20080113-122906-127 O4 - HKLM\..\Run: [6c44b7af] rundll32.exe "C:\WINDOWS\system32\wiwptlke.dll",b
backup-20080113-123023-735 O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm028YYUS
backup-20080113-123112-894 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
backup-20080113-145355-911 F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe
backup-20080113-145404-437 F3 - REG:win.ini: load=C:\WINDOWS\system32\geeba.exe

-- File Associations -----------------------------------------------------------

.js - unable to read key
.js - unable to read key

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
S2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys (file missing)
S3 dump_wmimmc - c:\program files\9dragons\gameguard\dump_wmimmc.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 NAVAP - c:\program files\navnt\navap.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 DomainService - c:\windows\system32\pwgcxdgx.exe /service
S4 Intel File Transfer - c:\windows\system32\cba\xfr.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>
S4 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-01 16:56:00 410 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-01 16:34:03 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-01-23 18:33:00 454 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Yong at 6 33 PM.job
2008-01-03 13:29:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-02-01 17:05:30 0 d-------- C:\Program Files\RogueRemover FREE
2008-01-29 16:05:22 78912 --a------ C:\WINDOWS\system32\ayytscmw.dll
2008-01-29 16:02:18 88640 --a------ C:\WINDOWS\system32\jdnsrxhw.dll
2008-01-29 15:59:11 78912 --a------ C:\WINDOWS\system32\kmxwfdtn.dll
2008-01-29 15:56:41 74304 --a------ C:\WINDOWS\system32\pwgcxdgx.exe
2008-01-27 12:07:37 339456 --a------ C:\WINDOWS\system32\geeba.exe
2008-01-27 11:03:33 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 11:03:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 11:03:09 0 d-------- C:\Documents and Settings\Yong\Application Data\SUPERAntiSpyware.com
2008-01-27 11:02:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 18:54:17 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-26 15:27:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-26 15:20:33 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-26 15:20:33 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-01-26 15:20:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-26 15:20:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-26 15:20:32 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-26 15:20:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-26 15:20:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-26 15:20:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-26 15:20:32 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-01-26 15:20:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-26 15:20:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-26 15:20:32 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-01-26 15:20:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-26 15:20:31 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-21 19:11:52 0 d-------- C:\Documents and Settings\Yong\Application Data\Sony Corporation
2008-01-21 13:37:56 0 d-------- C:\Documents and Settings\Yong\Application Data\NCH Swift Sound
2008-01-20 20:39:42 0 d-------- C:\Program Files\Netflix
2008-01-20 17:35:47 0 d-------- C:\GWT
2008-01-13 14:50:09 21261 --ahs---- C:\WINDOWS\system32\abeeg.ini2
2008-01-13 14:49:49 335872 -----n--- C:\WINDOWS\system32\geeba.dll
2008-01-13 11:56:13 0 d-------- C:\Program Files\Trend Micro
2008-01-13 10:54:08 218112 --a------ C:\HijackThis.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-01-07 06:51:35 1283174 --a------ C:\Install
2008-01-06 15:29:30 0 d-------- C:\Documents and Settings\rachel\Application Data\Sun

-- Find3M Report ---------------------------------------------------------------

2008-01-30 15:23:00 3837 --a------ C:\WINDOWS\viassary-hp.reg
2008-01-30 15:22:23 0 d-------- C:\Program Files\iTunes
2008-01-29 19:10:18 0 d-------- C:\Program Files\9Dragons
2008-01-27 11:02:38 0 d-------- C:\Program Files\Common Files
2008-01-05 22:27:50 0 d-------- C:\Program Files\QuickTime
2007-12-28 23:28:50 0 d-------- C:\Program Files\Zune
2007-12-17 19:18:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-17 19:16:43 0 d-------- C:\Program Files\Sony
2007-12-08 00:23:47 0 d-------- C:\Program Files\Windows Live Toolbar
2007-12-08 00:22:32 0 d-------- C:\Program Files\Windows Live Favorites
2007-12-08 00:19:56 0 d-------- C:\Program Files\Windows Live
2007-12-08 00:18:38 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-06 21:53:10 0 d-------- C:\Program Files\LimeWire
2007-12-01 17:19:44 0 d-------- C:\Program Files\NCH Software

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0012BF4C-48F4-43D9-8AC6-0B779555350B}]
01/13/2008 02:49 PM 335872 --------- C:\WINDOWS\system32\geeba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b382746f-a45e-48c4-b900-7b9c08fe51a1}]
01/29/2008 04:05 PM 78912 --a------ C:\WINDOWS\system32\ayytscmw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/30/2008 03:22 PM]
"6c44b7af"="C:\WINDOWS\system32\jdnsrxhw.dll" [01/29/2008 04:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" []
"NVIEW"="nview.dll,nViewLoadHook" []

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2/1/2008 5:03:03 PM]
mod_sm.lnk - C:\hp\bin\cloaker.exe [11/7/1999 7:11:14 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 03:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqppno]
urqppno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeba

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.lnk
backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC]
C:\WINDOWS\System32\mxxrzselryj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Enh Win Updt]
C:\WINDOWS\enhupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"c:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]
C:\WINDOWS\System32\q6spmbql.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
"C:\Program Files\Registry Cleaner\RegClean.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"PGPsdkServ"=2 (0x2)
"omniserv"=2 (0x2)
"NVSvc"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel File Transfer"=2 (0x2)
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)

-- End of Deckard's System Scanner: finished at 2008-02-01 17:09:58 ------------

#6
sage5

Posted 02 February 2008 - 03:02 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi paul_r_jacobs ,

Presumably, the PC is still only starting in Safe Mode. This isn't the best for HijackThis, but does work well with deletions etc.

Run HijackThis.

Click the Do a system scan only button.
Check the boxes for the all the entries listed below:

O2 - BHO: (no name) - {0012BF4C-48F4-43D9-8AC6-0B779555350B} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: {1a15ef80-c9b7-009b-4c84-e54af647283b} - {b382746f-a45e-48c4-b900-7b9c08fe51a1} - C:\WINDOWS\system32\ayytscmw.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [6c44b7af] rundll32.exe "C:\WINDOWS\system32\jdnsrxhw.dll",b
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: AutoTBar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O20 - Winlogon Notify: urqppno - urqppno.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\pwgcxdgx.exe

Now close all windows other than HijackThis and click Fix Checked.
Close HijackThis.

Clean up Registry with a Reg file:

Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0012BF4C-48F4-43D9-8AC6-0B779555350B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b382746f-a45e-48c4-b900-7b9c08fe51a1}]

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
Double click on the file created and click Yes when asked to merge the information into the Registry

Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop DomainService
sc delete DomainService
exit

Double click FixServices.bat. A window will open and close. This is normal.

I see you have Kazaa 3.0 & LimeWire installed on your system.
While these programs themselves are legal, most of the files downloaded with them, are not.
These programs can also be some of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling Kazaa 3.0 & LimeWire as outlined below.

Remove folders & files:

Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kazaa 3.0
LimeWire 4.12.14
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Please take note of any other programs that you don't recognise in that list, and include them in your next response
Using Windows Explorer, (to get there right-click your Start button and go to "Explore"), delete these folders, (if present):
C:\Program Files\mcafee.com
Delete these files, (if present):
C:\WINDOWS\system32\ayytscmw.dll
C:\WINDOWS\system32\jdnsrxhw.dll
C:\WINDOWS\system32\kmxwfdtn.dll
C:\WINDOWS\system32\pwgcxdgx.exe
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\gvuvhieg.exe
C:\WINDOWS\system32\nnbniter.exe
C:\WINDOWS\system32\cnuejpie.exe
C:\WINDOWS\system32\yeevnpun.exe
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\enhupdt.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job

Shut down & Reboot normally: if possible:

If yes:
Please download the following & save to your Desktop:
ComboFix

Run ComboFix:

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you cannot restart, except in Safe Mode, please try to do the Combofix scan.
You may have to download it on another PC and copy the file to your Desktop with a USB stick or similar.

Otherwise do the following:
Run HijackThis again:

Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
Start your Web Browser and navigate back to this thread.
Click the Add Reply button
Copy and Paste the text into the Reply window.

Please include a note to tell me how you went with the deletions etc, & how your PC is running now.

Cheers,

sage5

#7
paul_r_jacobs

Posted 03 February 2008 - 11:59 AM

Member

Topic Starter
Member
12 posts

I couldn't delete Kazaa. It's hard to get a sense for whether I'm still infected because the windows come up quasi randomly. So far so good though.

I have a question: why did you have me delete the Java stuff?

And again, thanks a ton.

Latest logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:57 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...23.9/ttinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqppno - urqppno.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 4574 bytes

ComboFix 08-02.03.1 - Yong 2008-02-02 17:56:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT -7:00]
Running from: C:\Documents and Settings\Yong\Local Settings\Temporary Internet Files\Content.IE5\WHAB49M7\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dfebgeeb.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\jpsisgkw.dll
C:\WINDOWS\system32\nsqaqghg.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\rachel\Application Data\FunWebProducts
C:\Documents and Settings\rachel\Application Data\FunWebProducts\Data\rachel\avatar.dat
C:\Documents and Settings\rachel\Application Data\FunWebProducts\Data\rachel\zbucks.dat
C:\Documents and Settings\Yong\Application Data\FunWebProducts
C:\Documents and Settings\Yong\Application Data\FunWebProducts\Data\Yong\avatar.dat
C:\Documents and Settings\Yong\Application Data\FunWebProducts\Data\Yong\register.dat
C:\Documents and Settings\Yong\Application Data\FunWebProducts\Data\Yong\zbucks.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\000A17EC.dat
C:\Program Files\FunWebProducts\Shared\00DE73A1.dat
C:\Program Files\FunWebProducts\Shared\014EC971.dat
C:\Program Files\FunWebProducts\Shared\02335030.dat
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml.backup
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\caepbiqw.ini
C:\WINDOWS\system32\dfebgeeb.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.exe
C:\WINDOWS\system32\ghgqaqsn.ini
C:\WINDOWS\system32\ivaebjoh.ini
C:\WINDOWS\system32\jmdvgjro.ini
C:\WINDOWS\system32\jpsisgkw.dll
C:\WINDOWS\system32\lcntgpbi.ini
C:\WINDOWS\system32\mvqkifnx.ini
C:\WINDOWS\system32\nsqaqghg.dll
C:\WINDOWS\system32\qfqondgk.ini
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\whxrsndj.ini
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://store.zune.net
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-01 17:06 . 2008-02-01 17:06 <DIR> d-------- C:\Deckard
2008-02-01 17:05 . 2008-02-01 17:05 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-27 11:03 . 2008-02-02 18:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 11:03 . 2008-01-27 11:03 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\SUPERAntiSpyware.com
2008-01-27 11:03 . 2008-01-27 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 11:02 . 2008-01-27 11:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 18:54 . 2008-01-26 18:54 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-26 15:20 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-26 15:20 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-26 15:20 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-26 15:20 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-26 15:20 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-21 19:11 . 2008-01-21 19:11 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\Sony Corporation
2008-01-21 13:37 . 2008-01-21 13:37 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\NCH Swift Sound
2008-01-20 20:39 . 2008-01-20 20:39 <DIR> d-------- C:\Program Files\Netflix
2008-01-20 17:35 . 2008-01-20 17:40 <DIR> d-------- C:\GWT
2008-01-13 11:56 . 2008-01-13 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:54 . 2008-01-13 10:54 218,112 --a------ C:\HijackThis.exe
2008-01-07 06:51 . 2008-01-07 06:52 1,283,174 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 00:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:37 --------- d-----w C:\Program Files\LimeWire
2008-02-02 18:58 --------- d-----w C:\Program Files\9Dragons
2008-01-30 22:23 3,837 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-30 22:22 --------- d-----w C:\Program Files\iTunes
2008-01-11 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-06 05:27 --------- d-----w C:\Program Files\QuickTime
2007-12-29 06:28 --------- d-----w C:\Program Files\Zune
2007-12-18 02:16 --------- d-----w C:\Program Files\Sony
2007-12-08 07:23 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-08 07:22 --------- d-----w C:\Program Files\Windows Live Favorites
2007-12-08 07:19 --------- d-----w C:\Program Files\Windows Live
2007-12-08 07:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2005-04-22 23:47 56 --sh--r C:\WINDOWS\system32\7719CA927B.sys
.

<pre>
----a-w			40,048 2007-12-29 06:29:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   230,928 2007-12-29 06:29:39  C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe
----a-w		   177,416 2007-12-29 06:29:37  C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe
----a-w		 2,321,600 2008-01-27 02:04:40  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		   185,896 2007-12-29 06:29:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			24,576 2007-12-29 06:29:48  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
----a-w		   256,576 2008-01-30 22:22:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,700,832 2007-12-24 02:30:06  C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe
----a-w		   214,560 2008-01-25 00:29:39  C:\Program Files\Real\RealOne Player\realplay .exe
----a-w		 1,318,912 2008-02-03 00:52:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			21,464 2007-12-29 06:29:24  C:\Program Files\Zune\ZuneLauncher .exe
</pre>

#8
sage5

Posted 04 February 2008 - 08:25 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi paul_r_jacobs ,

That's looking a whole lot better now.

Run HijackThis.

Click the Do a system scan only button.
Check the boxes for the all the entries listed below:

O20 - Winlogon Notify: urqppno - urqppno.dll (file missing)

Now close all windows other than HijackThis and click Fix Checked.
Close HijackThis.

Create a CombFix Script:

Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\WINDOWS\System32\mxxrzselryj.exeC:\WINDOWS\System32\q6spmbql.exeC:\WINDOWS\system32\7719CA927B.sysC:\WINDOWS\viassary-hp.regFolder::C:\Program Files\LimeWireRENV::<pre>----a-w            40,048 2007-12-29 06:29:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe----a-w           230,928 2007-12-29 06:29:39  C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe----a-w           177,416 2007-12-29 06:29:37  C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe----a-w         2,321,600 2008-01-27 02:04:40  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe----a-w           185,896 2007-12-29 06:29:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe----a-w            24,576 2007-12-29 06:29:48  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe----a-w           256,576 2008-01-30 22:22:37  C:\Program Files\iTunes\iTunesHelper .exe----a-w         1,700,832 2007-12-24 02:30:06  C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe----a-w           214,560 2008-01-25 00:29:39  C:\Program Files\Real\RealOne Player\realplay .exe----a-w         1,318,912 2008-02-03 00:52:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe----a-w            21,464 2007-12-29 06:29:24  C:\Program Files\Zune\ZuneLauncher .exe</pre>Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]

Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A Pands TotalScan log, see below.

All of the files listed in Code box above, got renamed by the infection.
Example:
Original Name: "ZuneLauncher.exe"
Name modified by the infection: "ZuneLauncher .exe"

You will need to check if those programs are operational. If not you will need to uninstall & reinstall the affected programs.
I would be concerned about these first:
CA Internet Security Suite
SUPERAntiSpyware

Please go HERE to run Panda's TotalScan

Select the bubble for Full scan
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Then the scan will begin
When the scan completes, click the Save button on the right of Scan details
Save it to a convenient location. Post the contents of the TotalScan report

Cheers,

sage5

#9
paul_r_jacobs

Posted 04 February 2008 - 06:12 PM

Member

Topic Starter
Member
12 posts

I got an access violation, a memory location read kind of thing when I dropped cfscript. I wasn't sure if I should just continue on...

#10
sage5

Posted 05 February 2008 - 02:09 AM

RIP 10/2009

Retired Staff
2,646 posts

Retry to drop the CFScript file just in case it was an isolated incident.
If that won't work push on with the TotalScan.

Cheers,

sage5

#11
paul_r_jacobs

Posted 08 February 2008 - 10:35 PM

Member

Topic Starter
Member
12 posts

Here you go,,,

ComboFix 08-02.05.3 - Yong 2008-02-08 17:42:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.262 [GMT -7:00]
Running from: C:\Documents and Settings\Yong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yong\Desktop\cfscript.txt
* Created a new restore point

FILE
File::C:\WINDOWS\System32\mxxrzselryj.exeC:\WINDOWS\System32\q6spmbql.exeC:\WINDOWS\system32\7719CA927B.sysC:\WINDOWS\viassary-hp.regFolder::C:\Program Files\LimeWireRENV::<pre>----a-w 40,048 2007-12-29 06:29:40 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe----a-w 230,928 2007-12-29 06:29:39 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID .exe----a-w 177,416 2007-12-29 06:29:37 C:\Program Files\CA\CA Internet Security Suite\cctray\cctray .exe----a-w 2,321,600 2008-01-27 02:04:40 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe----a-w 185,896 2007-12-29 06:29:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe----a-w 24,576 2007-12-29 06:29:48 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe----a-w 256,576 2008-01-30 22:22:37 C:\Program Files\iTunes\iTunesHelper .exe----a-w 1,700,832 2007-12-24 02:30:06 C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe----a-w 214,560 2008-01-25 00:29:39 C:\Program Files\Real\RealOne Player\realplay .exe----a-w 1,318,912 2008-02-03 00:52:10 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe----a-w 21,464 2007-12-29 06:29:24 C:\Program Files\Zune\ZuneLauncher .exe</pre>Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-04 17:10 . 2004-08-04 00:56 388,608 --a------ C:\kmd.exe
2008-02-04 17:07 . 2008-02-04 17:07 <DIR> d-------- C:\Program Files\Panda Security
2008-02-03 11:24 . 2008-02-03 11:24 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-01 17:06 . 2008-02-01 17:06 <DIR> d-------- C:\Deckard
2008-02-01 17:05 . 2008-02-01 17:05 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-27 11:03 . 2008-02-04 17:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 11:03 . 2008-02-04 17:08 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\SUPERAntiSpyware.com
2008-01-27 11:03 . 2008-01-27 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-26 18:54 . 2008-01-26 18:54 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-26 15:20 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-26 15:20 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-26 15:20 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-26 15:20 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-26 15:20 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-21 19:11 . 2008-01-21 19:11 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\Sony Corporation
2008-01-21 13:37 . 2008-01-21 13:37 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\NCH Swift Sound
2008-01-20 20:39 . 2008-01-20 20:39 <DIR> d-------- C:\Program Files\Netflix
2008-01-20 17:35 . 2008-01-20 17:40 <DIR> d-------- C:\GWT
2008-01-13 11:56 . 2008-01-13 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:54 . 2008-01-13 10:54 218,112 --a------ C:\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 23:13 3,837 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-06 00:30 --------- d-----w C:\Program Files\iTunes
2008-02-03 00:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:37 --------- d-----w C:\Program Files\LimeWire
2008-02-02 18:58 --------- d-----w C:\Program Files\9Dragons
2008-01-11 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-06 05:27 --------- d-----w C:\Program Files\QuickTime
2007-12-18 02:16 --------- d-----w C:\Program Files\Sony
2005-04-22 23:47 56 --sh--r C:\WINDOWS\system32\7719CA927B.sys
.

<pre>
----a-w			40,048 2007-12-29 06:29:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 2,321,600 2008-01-27 02:04:40  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		   185,896 2007-12-29 06:29:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			24,576 2007-12-29 06:29:48  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
----a-w		   256,576 2008-01-30 22:22:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,700,832 2007-12-24 02:30:06  C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe
----a-w		   214,560 2008-01-25 00:29:39  C:\Program Files\Real\RealOne Player\realplay .exe
----a-w		 1,318,912 2008-02-03 00:52:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 03:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.lnk
backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC]
C:\WINDOWS\System32\mxxrzselryj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2003-06-18 19:19 53248 C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 07:23 90112 c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Enh Win Updt]
C:\WINDOWS\enhupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 15:51 118784 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
c:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-23 02:55 483328 C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-05-23 03:03 49152 c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 15:55 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 20:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-05-02 23:19 4640768 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-05-02 23:19 835654 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-05-02 23:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 16:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]
C:\WINDOWS\System32\q6spmbql.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a------ 2003-03-07 05:01 77887 c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\Program Files\Registry Cleaner\RegClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"PGPsdkServ"=2 (0x2)
"omniserv"=2 (0x2)
"NVSvc"=2 (0x2)
"Intel PDS"=2 (0x2)
"Intel File Transfer"=2 (0x2)
"MCVSRte"=2 (0x2)
"McShield"=3 (0x3)

S3 dump_wmimmc;dump_wmimmc;C:\Program Files\9Dragons\GameGuard\dump_wmimmc.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 20:29:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 00:34:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 17:47:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-02-08 17:48:51
ComboFix-quarantined-files.txt 2008-02-09 00:47:57
ComboFix2.txt 2008-02-03 01:46:45
.
2008-01-09 04:59:55 --- E O F ---

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-08 21:29:06
PROTECTIONS: 0
MALWARE: 70
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00013869 adware/cydoor Adware No 0 Yes No c:\windows\cdmxtras
00029228 adware/mediatickets Adware No 1 Yes No c:\windows\mtu.bat
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\altnetdm
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\altnet
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\adm.exe
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\adm.exe
00029420 Adware/MediaTickets Adware No 1 Yes No C:\mtu.exe
00040067 spyware/shopnav Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
00041904 adware/sidesearch Adware No 0 Yes No c:\documents and settings\yong\application data\lycos
00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\lycos
00047771 Trj/Downloader.RU Virus/Trojan No 0 Yes No C:\Documents and Settings\Yong\o.html
00064489 adware/rxtoolbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}
00101555 Application/KillApp.B HackTools No 0 Yes No C:\hp\bin\KillIt.exe
00112308 Application/Altnet HackTools No 0 No No C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab[asmps.dll]
00112311 Application/BrilliantDigital HackTools No 0 No No C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab[asm.exe]
00114039 Adware/MediaTickets Adware No 1 No No C:\mtu.exe[mtu.bat]
00136475 Application/Altnet HackTools No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@casalemedia[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00145427 Cookie/Kazaa Networks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@bfast[1].txt
00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@mediaplex[2].txt
00145770 Cookie/CentrPort TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@centrport[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\[email protected][1].txt
00147020 Cookie/Lop TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mp3search[2].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@maxserving[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@com[2].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\[email protected][1].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\[email protected][1].txt
00167681 Cookie/Dbbsrv TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@dbbsrv[1].txt
00167681 Cookie/Dbbsrv TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@dbbsrv[1].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tickle[2].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@tickle[1].txt
00167726 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@tickle[1].txt
00167790 Cookie/Qsrch TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@qsrch[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@apmebf[2].txt
00168069 Cookie/Bilbo.counted TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@burstnet[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\[email protected][1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00168108 Cookie/Tickle TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\[email protected][1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\[email protected][1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\yong@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@cgi-bin[4].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@bluestreak[2].txt
00173545 Cookie/Rn11 TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@rn11[2].txt
00179360 Adware/MediaTickets Adware No 1 Yes No C:\WINDOWS\KS.EXE
00179360 Adware/MediaTickets Adware No 1 No No C:\mtu.exe[KS.EXE]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@adrevolver[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@go[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\rachel\Cookies\rachel@go[2].txt
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\[email protected][1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Yong\Cookies\yong@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@target[2].txt
00261257 Adware/Comet Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\Screensavers.com\Installer\bin\siuninst.exe.vir
00261257 Adware/Comet Adware No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP850\A0246497.exe
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[8].txt
00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[5].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-2751856680-1612408957-2638209308-1007\Dc85\[email protected][1].txt
00773139 Adware/BlazeFind Adware No 0 Yes No C:\WINDOWS\system32\axuninstall.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP850\A0246495.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP856\A0247007.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP850\A0246593.EXE
01217101 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\ftpupd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP850\A0246623.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Yong\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP853\A0246946.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP851\A0246843.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP856\A0247026.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP851\A0246816.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Yong\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
02884499 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\UHYZ05OP\gamadril20071203[1]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP850\A0246591.sys
02887492 Adware/InternetSpeedMonitor Adware No 0 No No C:\Documents and Settings\Alex\Local Settings\Temp\ismtpa8.exe[QdrPack11.exe]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Cookies\alex@advancedcleaner[2].txt
02887736 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Alex\Local Settings\Temp\TMP33.tmp
02887736 Adware/Yazzle Adware No 0 Yes No C:\Documents and Settings\Alex\Local Settings\Temp\TMP56.tmp
02888154 Adware/Adband Adware No 0 No No C:\Documents and Settings\Alex\Local Settings\Temp\D5.tmp[ism.exe]
02888796 Trj/Downloader.RUZ Virus/Trojan No 1 Yes No C:\Documents and Settings\Alex\Local Settings\Temp\ismtpa8.exe
02888797 Adware/InternetSpeedMonitor Adware No 0 No No C:\Documents and Settings\Alex\Local Settings\Temp\D5.tmp[QdrModule11.exe]
02888797 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\Documents and Settings\Alex\Local Settings\Temp\TMP12.tmp
02888798 Adware/Adband Adware No 0 Yes No C:\Documents and Settings\Alex\Local Settings\Temp\D5.tmp
02888799 Adware/InternetSpeedMonitor Adware No 0 No No C:\Documents and Settings\Alex\Local Settings\Temp\D5.tmp[QdrDrive9.dll]
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

#12
sage5

Posted 10 February 2008 - 07:22 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi paul_r_jacobs ,

We'll try that with a renamed version of Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

Create a CombFix Script:

Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\WINDOWS\System32\mxxrzselryj.exeC:\WINDOWS\System32\q6spmbql.exeC:\WINDOWS\system32\7719CA927B.sysc:\windows\cdmxtrasc:\windows\mtu.batC:\mtu.exeC:\Documents and Settings\Yong\o.htmlC:\hp\bin\KillIt.exeC:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cabC:\WINDOWS\KS.EXEC:\WINDOWS\system32\axuninstall.exeC:\WINDOWS\system32\ftpupd.exeC:\Documents and Settings\Alex\Local Settings\Temp\ismtpa8.exeC:\Documents and Settings\Alex\Local Settings\Temp\TMP33.tmpC:\Documents and Settings\Alex\Local Settings\Temp\TMP56.tmpC:\Documents and Settings\Alex\Local Settings\Temp\TMP12.tmpC:\Documents and Settings\Alex\Local Settings\Temp\D5.tmpFolder::c:\documents and settings\yong\application data\lycosC:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\UHYZ05OP\gamadril20071203[1]RENV::<pre>----a-w            40,048 2007-12-29 06:29:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe----a-w         2,321,600 2008-01-27 02:04:40  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe----a-w           185,896 2007-12-29 06:29:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe----a-w            24,576 2007-12-29 06:29:48  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe----a-w           256,576 2008-01-30 22:22:37  C:\Program Files\iTunes\iTunesHelper .exe----a-w         1,700,832 2007-12-24 02:30:06  C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe----a-w           214,560 2008-01-25 00:29:39  C:\Program Files\Real\RealOne Player\realplay .exe----a-w         1,318,912 2008-02-03 00:52:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe</pre>Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]

Save the file to your Desktop as CFScript.txt
Drag this file onto the Combo-fix.exe
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Cheers,

sage5

Edited by sage5, 10 February 2008 - 07:26 AM.

#13
paul_r_jacobs

Posted 10 February 2008 - 02:29 PM

Member

Topic Starter
Member
12 posts

Here goes:

ComboFix 08-02.05.3 - Yong 2008-02-10 10:37:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.250 [GMT -7:00]
Running from: C:\Documents and Settings\Yong\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Yong\Desktop\cfscript.txt
* Created a new restore point

FILE
File::C:\WINDOWS\System32\mxxrzselryj.exeC:\WINDOWS\System32\q6spmbql.exeC:\WINDOWS\system32\7719CA927B.sysc:\windows\cdmxtrasc:\windows\mtu.batC:\mtu.exeC:\Documents and Settings\Yong\o.htmlC:\hp\bin\KillIt.exeC:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cabC:\WINDOWS\KS.EXEC:\WINDOWS\system32\axuninstall.exeC:\WINDOWS\system32\ftpupd.exeC:\Documents and Settings\Alex\Local Settings\Temp\ismtpa8.exeC:\Documents and Settings\Alex\Local Settings\Temp\TMP33.tmpC:\Documents and Settings\Alex\Local Settings\Temp\TMP56.tmpC:\Documents and Settings\Alex\Local Settings\Temp\TMP12.tmpC:\Documents and Settings\Alex\Local Settings\Temp\D5.tmpFolder::c:\documents and settings\yong\application data\lycosC:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\UHYZ05OP\gamadril20071203[1]RENV::<pre>----a-w 40,048 2007-12-29 06:29:40 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe----a-w 2,321,600 2008-01-27 02:04:40 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe----a-w 185,896 2007-12-29 06:29:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe----a-w 24,576 2007-12-29 06:29:48 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe----a-w 256,576 2008-01-30 22:22:37 C:\Program Files\iTunes\iTunesHelper .exe----a-w 1,700,832 2007-12-24 02:30:06 C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe----a-w 214,560 2008-01-25 00:29:39 C:\Program Files\Real\RealOne Player\realplay .exe----a-w 1,318,912 2008-02-03 00:52:10 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe</pre>Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 10:27 . 2008-02-09 10:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 17:41 . 2004-08-04 00:56 388,608 --a------ C:\kmd.exe
2008-02-04 17:07 . 2008-02-04 17:07 <DIR> d-------- C:\Program Files\Panda Security
2008-02-03 11:24 . 2008-02-03 11:24 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-01 17:06 . 2008-02-01 17:06 <DIR> d-------- C:\Deckard
2008-02-01 17:05 . 2008-02-01 17:05 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-27 11:03 . 2008-02-09 10:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 11:03 . 2008-02-09 10:27 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\SUPERAntiSpyware.com
2008-01-27 11:03 . 2008-01-27 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-26 18:54 . 2008-01-26 18:54 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-26 15:20 . 2003-08-23 07:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-26 15:20 . 2003-08-28 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-26 15:20 . 2003-08-23 07:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-26 15:20 . 2003-08-23 20:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-26 15:20 . 2003-08-28 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-21 19:11 . 2008-01-21 19:11 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\Sony Corporation
2008-01-21 13:37 . 2008-01-21 13:37 <DIR> d-------- C:\Documents and Settings\Yong\Application Data\NCH Swift Sound
2008-01-20 20:39 . 2008-01-20 20:39 <DIR> d-------- C:\Program Files\Netflix
2008-01-20 17:35 . 2008-01-20 17:40 <DIR> d-------- C:\GWT
2008-01-13 11:56 . 2008-01-13 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:54 . 2008-01-13 10:54 218,112 --a------ C:\HijackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 20:36 3,837 ----a-w C:\WINDOWS\viassary-hp.reg
2008-02-06 00:30 --------- d-----w C:\Program Files\iTunes
2008-02-03 00:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 00:37 --------- d-----w C:\Program Files\LimeWire
2008-02-02 18:58 --------- d-----w C:\Program Files\9Dragons
2008-01-11 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-06 05:27 --------- d-----w C:\Program Files\QuickTime
2007-12-18 02:16 --------- d-----w C:\Program Files\Sony
2005-04-22 23:47 56 --sh--r C:\WINDOWS\system32\7719CA927B.sys
.

<pre>
----a-w			40,048 2007-12-29 06:29:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 2,321,600 2008-01-27 02:04:40  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w		   185,896 2007-12-29 06:29:40  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			24,576 2007-12-29 06:29:48  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
----a-w		   256,576 2008-01-30 22:22:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,700,832 2007-12-24 02:30:06  C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe
----a-w		   214,560 2008-01-25 00:29:39  C:\Program Files\Real\RealOne Player\realplay .exe
----a-w		 1,318,912 2008-02-03 00:52:10  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>

#14
sage5

Posted 15 February 2008 - 06:11 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi paul_r_jacobs ,

Please download the following & save to your Desktop
RenV.exe by sUBs
OTMoveIt2 by OldTimer.

All of the files listed in Code box below, got renamed by the infection.

Example:
Original Name: "Reader_sl.exe"
Name modified by the infection: "Reader_sl .exe"

Repair the .exe files:

Copy the entire contents of the Code Box below to Notepad.
Save the file as Log.txt & save to your Desktop

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\PCPitstop\Optimize\PCPOptimize .exe
C:\Program Files\Real\RealOne Player\realplay .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe

Refering to the picture above, drag Log.txt into RenV.exe
This will re run the program and create a new report.
Save this file to your Desktop as Log2.txt. I will need you to attach the resulting report to your reply. (see below)

Clean up Registry with a Reg file:

Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3140A6AC]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Enh Win Updt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q6spmbql]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=-
"McTskshd.exe"=-
"McDetect.exe"=-
"MCVSRte"=-
"McShield"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\altnetdm]

[-HKEY_LOCAL_MACHINE\software\altnet]

[-HKEY_CLASSES_ROOT\appid\adm.exe]

[-HKEY_LOCAL_MACHINE\software\classes\appid\adm.exe]

[-HKEY_LOCAL_MACHINE\software\lycos]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
Double click on the file created and click Yes when asked to merge the information into the Registry

Run OTMoveIt2:

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\viassary-hp.reg
C:\WINDOWS\system32\7719CA927B.sys
C:\WINDOWS\System32\mxxrzselryj.exe
C:\WINDOWS\System32\q6spmbql.exe
C:\WINDOWS\enhupdt.exe
C:\Program Files\McAfee.com
c:\windows\cdmxtras
c:\windows\mtu.bat
C:\mtu.exe
c:\documents and settings\yong\application data\lycos
C:\Documents and Settings\Yong\o.html
C:\hp\bin\KillIt.exe
C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab
C:\WINDOWS\KS.EXE
C:\WINDOWS\system32\axuninstall.exe
C:\WINDOWS\system32\ftpupd.exe
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\UHYZ05OP\gamadril20071203[1]
C:\Documents and Settings\Alex\Local Settings\Temp\ismtpa8.exe
C:\Documents and Settings\Alex\Local Settings\Temp\TMP33.tmp
C:\Documents and Settings\Alex\Local Settings\Temp\TMP56.tmp
C:\Documents and Settings\Alex\Local Settings\Temp\TMP12.tmp
C:\Documents and Settings\Alex\Local Settings\Temp\D5.tmp

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Open Notepad
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
Paste the text into the Notepad file, click in the window and press Ctrl + V.
Click "Exit" to close OTMoveIt.
Save the text file as C:\otmove.txt

(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)

Please paste me the text from C:\otmove.txt

For the report from the RenV scan, I need you to attach the file instead of pasting the text
Use the Browse button to locate the Log2.txt file, on your Desktop, then click the Green UPLOAD button to attach the file to your post.

Cheers,

sage5

Edited by sage5, 15 February 2008 - 06:13 AM.

#15
paul_r_jacobs

Posted 16 February 2008 - 06:37 PM

Member

Topic Starter
Member
12 posts

Ok:

RenV never created a log file.
OTMoveit did show results

but....

The reboot dialog was modal so I could reboot or I would have to had chosen to not reboot and then copy the output. I did what the instructions said which was to reboot.

I made the registry changes.

So given the above I have nothing to attach. Any thoughts...