Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan horse Downloader.Delf.AST [RESOLVED]


  • This topic is locked This topic is locked

#1
ars

ars

    New Member

  • Member
  • Pip
  • 6 posts
Greetings -

I have had AVG virus scan for several months now but a few days ago it came up up with
Trojan horse Downloader.Delf.AST while opening file
C:\WINDOWS\SYSTEM32\atiiiexxn.dll

Normally I will either do a heal or move something like this to the virus vault but this one comes back every
time I open Internet Explorer or sign on to My Computer. I have completed the Malware removal sections
1 thru 4 and as step 5 I am posting this topic here.

The results of the scans are as follows:






Step One:




AVG Anti-Spyware -

There were two of the normal tracing cookies it usually picks up but no reports available at the end of the scan.




SUPERAntiSpyware Home Edition -

SUPERAntiSpyware Scan Log
Generated 01/29/2008 at 02:42 PM

Application Version : 3.6.1000

Core Rules Database Version : 3390
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 03:08:50

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 6711
Registry threats detected : 0
File items scanned : 107820
File threats detected : 1

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\DLLCACHE\UNIIME.DLL








Step Two:




Online - Panda Activescan -

Incident Status Location

Virus:Trj/ClassLoader.AH Disinfected C:\Documents and Settings\Rand Schwichtenberg\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-57143c20[BnnnnBaa.class]
Virus:Trj/ClassLoader.AH Disinfected C:\Documents and Settings\Rand Schwichtenberg\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-57143c20[VaannnaaBaa.class]
Virus:Trj/ClassLoader.AH Disinfected C:\Documents and Settings\Rand Schwichtenberg\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-57143c20[Bnnnnn.class]
Adware:Adware/AntivirusPro Not disinfected C:\WINDOWS\SYSTEM32\~.exe







Step Three:




Windows Update shows everything updated.









Step Four:




Rebooted but AVG virus scan stills shows
Trojan horse Downloader.Delf.AST while opening file
C:\WINDOWS\SYSTEM32\atiiiexxn.dll
when I open IE or sign on to My Computer.








Step Five:




I am here requesting assistance in this most annoying matter. Thank you in advance.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ars

ars

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for replying to my post, quite nice of you.

I ran the Deckard's scan and the results are as follows:







Deckard's System Scanner v20071014.68
Run by Rand Schwichtenberg on 2008-01-30 12:17:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-01-30 19:17:09 UTC - RP692 - Deckard's System Scanner Restore Point
3: 2008-01-30 02:13:34 UTC - RP691 - Software Distribution Service 3.0
2: 2008-01-29 18:20:22 UTC - RP690 - Installed SUPERAntiSpyware Free Edition
1: 2008-01-29 05:15:07 UTC - RP689 - 28jan2008


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Rand Schwichtenberg.exe) ---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:17 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\vz4028.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Rand Schwichtenberg\My Documents\scans and photographs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rand Schwichtenberg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D45E69C-B569-4810-8052-74D685AA8D10} - C:\WINDOWS\system32\atiiiexxn.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [vz4028] C:\WINDOWS\system32\vz4028.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [vz4028] C:\WINDOWS\system32\vz4028.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: http://local.live.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201659029578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://toolbox.webe...bex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 9827 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 eulgsxfz - c:\windows\system32\drivers\yqipijxt.dat
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-26 13:34:59 524 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job


-- Files created between 2007-12-30 and 2008-01-30 -----------------------------

2008-01-29 19:28:21 0 d-------- C:\Program Files\Trend Micro
2008-01-29 17:37:15 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 15:41:29 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 11:20:34 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 11:20:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 11:20:24 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\SUPERAntiSpyware.com
2008-01-28 16:15:48 0 d-------- C:\WINDOWS\network diagnostic
2008-01-28 16:09:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-26 18:58:42 0 d-------- C:\Program Files\Lavasoft
2008-01-26 18:58:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:57:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 16:49:29 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\School Zone Preferences
2008-01-26 16:49:17 0 d-------- C:\Program Files\sz8031
2008-01-26 13:45:30 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\Lavasoft
2008-01-26 13:34:56 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\AdwareAlert
2008-01-25 21:51:02 1042 --a------ C:\WINDOWS\system32\DGNETi.dll
2008-01-25 21:50:52 15872 --a------ C:\WINDOWS\system32\vz4028.exe
2008-01-25 21:50:49 19584 --a------ C:\WINDOWS\system32\drivers\yqipijxt.dat
2008-01-25 21:50:25 83968 --a------ C:\WINDOWS\system32\atiiiexxn.dll
2008-01-25 21:50:13 21504 --a------ C:\WINDOWS\system32\~.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-30 11:26:20 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\AVG7
2008-01-29 18:27:56 0 d-------- C:\Program Files\Messenger
2008-01-29 18:22:32 0 d-------- C:\Program Files\Google
2008-01-29 18:21:15 0 d-------- C:\Program Files\DellSupport
2008-01-29 17:11:48 560 --a------ C:\Documents and Settings\Rand Schwichtenberg\Application Data\ViewerApp.dat
2008-01-26 21:41:35 0 d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\gtk-2.0
2008-01-26 18:57:41 0 d-------- C:\Program Files\Common Files
2008-01-25 20:37:00 4 --a------ C:\WINDOWS\system32\862C48
2007-12-04 12:34:37 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D45E69C-B569-4810-8052-74D685AA8D10}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 03:00 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 12:01 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/15/2005 08:17 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/15/2005 08:17 AM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [01/17/2006 01:03 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 07:12 PM]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [07/08/2003 03:00 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 03:54 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 12:05 AM]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [08/25/2004 11:52 AM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [03/11/2004 01:26 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"NWEReboot"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [12/21/2007 08:54 AM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [01/17/2006 01:03 PM]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [11/28/2007 11:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [09/09/2005 01:26 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/13/2007 10:00 AM]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [11/13/2007 02:46 PM]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [11/28/2007 11:20 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Rand Schwichtenberg\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [4/13/2005 12:07:12 AM]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [4/13/2005 12:07:09 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 10:59:36 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-01-30 12:19:36 ------------




















Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 2046.07 MiB / 1415.73 MiB
Pagefile Memory (total/avail): 2659.73 MiB / 2106.35 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.73 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.03 GiB total, 17.31 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080M0 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 71.03 GiB - C:
\PARTITION2 - Unknown - 3.42 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Windows Media™ Audio (wma)"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\WINDOWS\\SYSTEM32\\vz4028.exe"="C:\\WINDOWS\\SYSTEM32\\vz4028.exe:*:Disabled:vz4028"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rand Schwichtenberg\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RAND
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rand Schwichtenberg
LOGONSERVER=\\RAND
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\Program Files\Common Files\Sonic Shared;;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RANDSC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RANDSC~1\LOCALS~1\Temp
USERDOMAIN=RAND
USERNAME=Rand Schwichtenberg
USERPROFILE=C:\Documents and Settings\Rand Schwichtenberg
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rand Schwichtenberg (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D1A81AA-ED90-11D6-86D3-00055DF3561E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Beginning Sounds --> C:\WINDOWS\unvise32.exe C:\Program Files\sz8031\uninstal.log
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Media Experience Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CDE4CC8B-134B-421E-943C-90799E56F664}\setup.exe" -l0x9 -L0x9 /SMAINT
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DiscAPI --> MsiExec.exe /X{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall
EPSON Perf 4180 Guide --> C:\Program Files\epson\guide\perf4180_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\setup.exe" -l0x9 Uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GTK+ 2.10.6-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Picture Package --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
Pinnacle device drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F866D37-22D0-435D-94F1-31A64D566D0E}\setup.exe" -l0x9
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\6.0\uninstal.log
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x9 UNINSTALL
PowerDVD 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
proDAD Heroglyph 2.0 --> "C:\Program Files\proDAD\Heroglyph-2.0\uninstall.exe" uninstall spcp PATHVERSION 2.0 MAINNAME Heroglyph
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RAPID --> MsiExec.exe /X{EEECE229-49F6-4851-A73A-99B058221F8C}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\INSTALL.LOG
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Studio 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup.exe" -l0x9 UNINSTALL
Studio 10 Bonus DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A012D9C-2E2E-405A-B87C-E909F5297C3F}\Setup.exe" -l0x9 UNINSTALL
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The GIMP 2.2.13 --> "C:\Program Files\GIMP-2.0\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Earth 3D (Beta) --> MsiExec.exe /I{619B8475-0F48-41B7-A370-5147F7092989}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}


-- Application Event Log -------------------------------------------------------

Event Record #/Type14823 / Warning
Event Submitted/Written: 01/28/2008 04:24:44 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_2050727_ASPNETAppsv2050727 for Performance Library ASP.NET_2.0.50727 because error 0x80041001 was returned

Event Record #/Type14822 / Warning
Event Submitted/Written: 01/28/2008 04:24:44 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type14821 / Warning
Event Submitted/Written: 01/28/2008 04:24:43 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_ASPNETApplications for Performance Library ASP.NET because error 0x80041001 was returned

Event Record #/Type14820 / Warning
Event Submitted/Written: 01/28/2008 04:24:43 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type14802 / Warning
Event Submitted/Written: 01/28/2008 04:23:19 PM
Event ID/Source: 1020 / ASP.NET 2.0.50727.0
Event Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9472 / Warning
Event Submitted/Written: 01/29/2008 11:36:14 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9471 / Warning
Event Submitted/Written: 01/29/2008 11:20:14 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9305 / Error
Event Submitted/Written: 01/28/2008 11:54:34 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9304 / Error
Event Submitted/Written: 01/28/2008 10:36:15 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
PCLEPCI
RasAcd
Rdbss
Tcpip

Event Record #/Type9303 / Error
Event Submitted/Written: 01/28/2008 10:36:15 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-01-30 12:19:36 ------------
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\atiiiexxn.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\atiiiexxn.dll

  • Click Open.
  • Click Post.
Thank you!



Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
ars

ars

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Greetings again -


Here are the requested logs:







ComboFix 08-01-31.1 - Rand Schwichtenberg 2008-01-30 15:02:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1538 [GMT -7:00]
Running from: C:\Documents and Settings\Rand Schwichtenberg\My Documents\scans and photographs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\atiiiexxn.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\atiiiexxn.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\yqipijxt.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EULGSXFZ
-------\eulgsxfz


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 12:16 . 2008-01-30 12:16 <DIR> d-------- C:\Deckard
2008-01-30 07:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-30 07:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-29 19:28 . 2008-01-29 19:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 17:37 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-29 17:20 . 2008-01-29 17:20 6,065,664 --a------ C:\WINDOWS\SYSTEM32\1E1.tmp
2008-01-29 15:41 . 2008-01-29 18:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-29 15:41 . 2008-01-29 17:35 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-29 15:41 . 2008-01-29 17:35 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-29 15:41 . 2008-01-29 17:35 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-29 11:20 . 2008-01-29 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 11:20 . 2008-01-29 11:20 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\SUPERAntiSpyware.com
2008-01-29 11:20 . 2008-01-29 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 16:20 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-01-28 16:20 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-01-28 16:20 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-01-28 16:20 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-01-28 16:20 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-01-28 16:20 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-01-28 16:20 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-01-28 16:20 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-01-28 16:20 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-01-27 10:44 . 2008-01-27 10:44 14,336 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-01-26 18:58 . 2008-01-26 18:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-26 18:58 . 2008-01-26 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:57 . 2008-01-29 11:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 16:49 . 2008-01-26 17:19 <DIR> d-------- C:\Program Files\sz8031
2008-01-26 16:49 . 2008-01-26 16:49 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\School Zone Preferences
2008-01-26 13:45 . 2008-01-26 13:45 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\Lavasoft
2008-01-26 13:34 . 2008-01-26 13:35 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\AdwareAlert
2008-01-25 21:51 . 2004-08-04 04:00 1,042 --a------ C:\WINDOWS\SYSTEM32\DGNETi.dll
2008-01-25 21:50 . 2007-11-28 23:20 15,872 --a------ C:\WINDOWS\SYSTEM32\vz4028.exe
2008-01-25 19:58 . 2008-01-25 19:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 19:58 . 2008-01-25 19:58 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-24 12:31 . 2007-12-24 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 22:08 --------- d-----w C:\Documents and Settings\Rand Schwichtenberg\Application Data\AVG7
2008-01-30 01:22 --------- d-----w C:\Program Files\Google
2008-01-30 01:21 --------- d-----w C:\Program Files\DellSupport
2008-01-30 00:11 560 ----a-w C:\Documents and Settings\Rand Schwichtenberg\Application Data\ViewerApp.dat
2008-01-27 04:41 --------- d-----w C:\Documents and Settings\Rand Schwichtenberg\Application Data\gtk-2.0
2007-12-04 19:34 --------- d-----w C:\Program Files\Java
2007-11-29 06:22 --------- d-----w C:\Program Files\Rhapsody
2007-01-19 07:24 28,672 ----a-w C:\Documents and Settings\Rand Schwichtenberg\atwbxdet.dll
2005-05-01 20:32 0 ----a-w C:\Program Files\MCASVCHOST.EXE
2006-03-05 23:11 330,259 --sh--w C:\WINDOWS\SYSTEM32\srutv.bak1
2006-03-06 21:55 330,848 --sh--w C:\WINDOWS\SYSTEM32\srutv.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-09 13:26 94208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 10:00 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [2007-11-28 23:20 15872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00 99840]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-15 08:17 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-15 08:17 98304]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00 99840]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2004-08-25 11:52 339968]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NWEReboot"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:54 579072]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [2007-11-28 23:20 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 11:50 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-04-13 00:07:12 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-04-13 00:07:09 106496]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 10:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 BENDER;Pinnacle AV/DV2 Capture;C:\WINDOWS\system32\drivers\bender.sys [2005-08-22 15:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 20:34:59 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 15:08:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\vz4028.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
.
**************************************************************************
.
Completion time: 2008-01-31 15:14:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 22:14:44
.
2008-01-09 19:22:29 --- E O F ---




















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:29 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\vz4028.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [vz4028] C:\WINDOWS\system32\vz4028.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [vz4028] C:\WINDOWS\system32\vz4028.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: http://local.live.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201659029578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://toolbox.webe...bex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 9631 bytes











I did notice that the AVG virus message is not coming up when I pull up IE or My Computer now,
that is a really good sign... That file C:\WINDOWS\system32\atiiiexxn.dll shows twice in the
'other deletions' section of the Combo fix log, I wonder how they were able to get rid of it. I also just
pulled up the C drive, C:\WINDOWS\system32\atiiiexxn.dll used to be right next to
C:\WINDOWS\system32\atiiiexx.dll. C:\WINDOWS\system32\atiiiexx.dll is still there, but no
C:\WINDOWS\system32\atiiiexxn.dll. File search pulls up for C:\WINDOWS\system32\atiiiexx.dll but
no C:\WINDOWS\system32\atiiiexxn.dll.

Edited by ars, 30 January 2008 - 04:58 PM.

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\vz4028.exe
C:\WINDOWS\SYSTEM32\srutv.bak1
C:\WINDOWS\SYSTEM32\srutv.bak2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#7
ars

ars

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello again -

I did not quite understand the part about referring to the picture but as soon as I
dragged the CFScript.txt into the ComboFix.exe icon it produced the following log,
hope this is what you are looking for. I lost Internet Explorer access after it
produced the log but rebooted and it is working again. Thanks.










ComboFix 08-01-31.1 - Rand Schwichtenberg 2008-01-31 21:32:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1448 [GMT -7:00]
Running from: C:\Documents and Settings\Rand Schwichtenberg\My Documents\A-Z Main file\Computer\Support\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rand Schwichtenberg\My Documents\A-Z Main file\Computer\Support\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\srutv.bak1
C:\WINDOWS\SYSTEM32\srutv.bak2
C:\WINDOWS\SYSTEM32\vz4028.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\srutv.bak1
C:\WINDOWS\SYSTEM32\srutv.bak2
C:\WINDOWS\SYSTEM32\vz4028.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 12:16 . 2008-01-30 12:16 <DIR> d-------- C:\Deckard
2008-01-30 07:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-30 07:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-29 19:28 . 2008-01-29 19:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 17:37 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-29 17:20 . 2008-01-29 17:20 6,065,664 --a------ C:\WINDOWS\SYSTEM32\1E1.tmp
2008-01-29 15:41 . 2008-01-29 18:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-29 15:41 . 2008-01-29 17:35 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-29 15:41 . 2008-01-29 17:35 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-29 15:41 . 2008-01-29 17:35 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-29 11:20 . 2008-01-29 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 11:20 . 2008-01-29 11:20 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\SUPERAntiSpyware.com
2008-01-29 11:20 . 2008-01-29 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 16:20 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-01-28 16:20 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-01-28 16:20 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-01-28 16:20 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-01-28 16:20 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-01-28 16:20 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-01-28 16:20 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-01-28 16:20 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-01-28 16:20 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-01-27 10:44 . 2008-01-27 10:44 14,336 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-01-26 18:58 . 2008-01-26 18:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-26 18:58 . 2008-01-26 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:57 . 2008-01-29 11:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 16:49 . 2008-01-26 17:19 <DIR> d-------- C:\Program Files\sz8031
2008-01-26 16:49 . 2008-01-26 16:49 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\School Zone Preferences
2008-01-26 13:45 . 2008-01-26 13:45 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\Lavasoft
2008-01-26 13:34 . 2008-01-26 13:35 <DIR> d-------- C:\Documents and Settings\Rand Schwichtenberg\Application Data\AdwareAlert
2008-01-25 21:51 . 2004-08-04 04:00 1,042 --a------ C:\WINDOWS\SYSTEM32\DGNETi.dll
2008-01-25 19:58 . 2008-01-25 19:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 19:58 . 2008-01-25 19:58 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 02:33 --------- d-----w C:\Documents and Settings\Rand Schwichtenberg\Application Data\gtk-2.0
2008-02-01 02:26 284 ----a-w C:\Documents and Settings\Rand Schwichtenberg\Application Data\ViewerApp.dat
2008-01-31 23:48 --------- d-----w C:\Documents and Settings\Rand Schwichtenberg\Application Data\AVG7
2008-01-30 01:22 --------- d-----w C:\Program Files\Google
2008-01-30 01:21 --------- d-----w C:\Program Files\DellSupport
2007-12-24 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-12-14 18:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2007-12-04 19:34 --------- d-----w C:\Program Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-01-19 07:24 28,672 ----a-w C:\Documents and Settings\Rand Schwichtenberg\atwbxdet.dll
2005-05-01 20:32 0 ----a-w C:\Program Files\MCASVCHOST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-09 13:26 94208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 10:00 68856]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 14:46 135168]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00 99840]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-15 08:17 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-03-15 08:17 98304]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 13:03 135168]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 03:00 99840]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ATIPTA"="C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2004-08-25 11:52 339968]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NWEReboot"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:54 579072]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"vz4028"="C:\WINDOWS\system32\vz4028.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 11:50 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 04:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-04-13 00:07:12 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-04-13 00:07:09 106496]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 10:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 BENDER;Pinnacle AV/DV2 Capture;C:\WINDOWS\system32\drivers\bender.sys [2005-08-22 15:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 20:34:59 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 21:35:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 21:36:07
ComboFix-quarantined-files.txt 2008-02-01 04:36:05
ComboFix2.txt 2008-01-31 22:14:48
.
2008-01-09 19:22:29 --- E O F ---
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#9
ars

ars

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Greetings and thanks again for all the assistance.
I ran the SUPERAntiSpyware and the log is as follows:



SUPERAntiSpyware Scan Log
Generated 02/01/2008 at 01:44 PM

Application Version : 3.6.1000

Core Rules Database Version : 3392
Trace Rules Database Version: 1384

Scan type : Complete Scan
Total Scan Time : 01:47:11

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 6727
Registry threats detected : 0
File items scanned : 108590
File threats detected : 1

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP690\A0142139.DLL







PC seems to be running very good. No more AVG virus scan popups and it didn't seem slow to
me before but is a lot faster now as well.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
ars

ars

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Greetings -

Thanks for all the information.

I tried to click on the OTMoveIt2.exe link but it was black instead of red.
I put OTMoveIt2 into google and pulled up another log of yours a few
days ago which had a link OTMoveIt2 by OldTimer. It pulled up the
OTMoveIt2.exe so I thought it had to be right and ran it.

I also went through and completed the rest of your steps and have switched
to Firefox browser. I read Tony Klein’s article and also downloaded the
ZoneAlarm firewall.

You said thank you for your patience, and performing all of the procedures
requested but it is really me who should be thanking you for all of your help,
information and patience helping me get this fixed.

If I can ever make it back to Dublin again, I owe you a pint.
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Thank you for the kind words, we will get some pints of Guinness then :)

Enjoy the rest of your weekend
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP