Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I keep getting redirected [RESOLVED]


  • This topic is locked This topic is locked

#1
Charis1973

Charis1973

    Member

  • Member
  • PipPip
  • 15 posts
At my wits end here i have used every program that i can think of and i still keep getting redirected so far i have run CCLeaner AVG anti-spyware, SpyWareNuker, Vundo Fix, Advanced Windows Care Pro, ZoneAlarm, spyhunter, and Hijackthis. Did delete a few after they found nothing .

I play an online game and me and several of my firends go to click on a link to vote for the server we play on and we keep getting redirected to dodouble.com. We are not sure if it is us or the site but if its me I guess im missing something, so its time i fianlly ask for help (Hard Headed Woman here)LOL. here is my log from Hijackthis. Any help would greatly be appericated.

Logfile of HijackThis v1.99.1
Scan saved at 2:32:58 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wlky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 216.119.23.61 L2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198496957953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198854948453
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_)

Charis1973
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Main.txt was all that came up after i ran Deckard.

Deckard's System Scanner v20071014.68
Run by Sheila Joy on 2008-02-08 13:46:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sheila Joy.exe) ------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-08 13:46:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\SYSTEM32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\SYSTEM32\services.exe
D:\WINDOWS\SYSTEM32\lsass.exe
D:\WINDOWS\SYSTEM32\ati2evxx.exe
D:\WINDOWS\SYSTEM32\svchost.exe
D:\WINDOWS\SYSTEM32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\WINDOWS\SYSTEM32\ctfmon.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\WINDOWS\SYSTEM32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ProcessGuard\DCSUserProt.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\SYSTEM32\snmp.exe
D:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\explorer.exe
D:\my downloads\assorted programs and programfiles\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O1 - Hosts: 216.119.23.61 L2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://l2.hopzone.net (HKCU)
O15 - Trusted Zone: http://www.veoh.com (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198496957953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198854948453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupd...9439.1317361111
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - D:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ndwiat - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - D:\WINDOWS\SYSTEM32\wiascr.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\DCSUserProt.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - D:\WINDOWS\SYSTEM32
O23 - Service: Iomega App Services - Unknown owner - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - D:\Program Files\Iomega\AutoDisk\ADService.exe


--
End of file - 8368 bytes

-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-08 10:27:30 0 d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 10:27:27 0 d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-02-08 10:27:26 0 d-------- D:\WINDOWS\LastGood
2008-02-07 09:27:24 0 d-------- D:\Program Files\Lavasoft
2008-02-07 09:15:22 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 09:13:19 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 07:25:42 0 d-------- D:\WINDOWS\system32\ActiveScan
2008-02-07 04:14:26 0 d--hs---- D:\FOUND.002
2008-02-07 02:48:42 0 d--hs---- D:\FOUND.001
2008-02-06 21:00:02 0 d--hs---- D:\FOUND.000
2008-02-04 22:51:19 0 d-------- D:\Program Files\QuickTime
2008-02-04 22:51:12 0 d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-04 22:48:05 0 d-------- D:\Program Files\Apple Software Update
2008-02-04 22:48:05 0 d-------- D:\Documents and Settings\All Users\Application Data\Apple
2008-02-04 22:44:47 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Apple Computer
2008-02-04 20:42:55 0 d-------- D:\Program Files\Veoh Networks
2008-01-31 21:53:40 0 dr-h----- D:\Documents and Settings\Sheila Joy\Recent
2008-01-31 21:33:08 0 d-------- D:\Program Files\CCleaner
2008-01-30 20:23:49 0 d-------- D:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-30 15:50:16 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Grisoft
2008-01-30 15:47:24 0 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 15:23:42 0 d-------- D:\VundoFix Backups
2008-01-30 14:37:52 0 d--h----- D:\Documents and Settings\Administrator\Templates
2008-01-30 14:37:52 0 dr------- D:\Documents and Settings\Administrator\Start Menu
2008-01-30 14:37:52 0 dr-h----- D:\Documents and Settings\Administrator\SendTo
2008-01-30 14:37:52 0 d--h----- D:\Documents and Settings\Administrator\Recent
2008-01-30 14:37:52 0 d--h----- D:\Documents and Settings\Administrator\PrintHood
2008-01-30 14:37:52 786432 --ah----- D:\Documents and Settings\Administrator\ntuser.dat
2008-01-30 14:37:52 0 d--h----- D:\Documents and Settings\Administrator\NetHood
2008-01-30 14:37:52 0 d-------- D:\Documents and Settings\Administrator\My Documents
2008-01-30 14:37:52 0 d--h----- D:\Documents and Settings\Administrator\Local Settings
2008-01-30 14:37:52 0 d-------- D:\Documents and Settings\Administrator\Favorites
2008-01-30 14:37:52 0 d-------- D:\Documents and Settings\Administrator\Desktop
2008-01-30 14:37:52 0 d--hs---- D:\Documents and Settings\Administrator\Cookies
2008-01-30 14:37:52 0 dr-h----- D:\Documents and Settings\Administrator\Application Data
2008-01-30 14:37:52 0 d---s---- D:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-30 09:20:43 0 d-------- D:\WINDOWS\system32\nGpxx18
2008-01-29 14:48:51 0 d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-01-29 14:39:41 593920 -----n--- D:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-01-29 14:31:16 664 --a------ D:\WINDOWS\system32\d3d9caps.dat
2008-01-29 14:25:54 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\INAC
2008-01-29 14:25:54 0 d-------- D:\Documents and Settings\All Users\Application Data\INAC
2008-01-29 14:15:03 0 d-------- D:\Program Files\ATI Technologies
2008-01-29 12:28:47 67645 --a------ D:\WINDOWS\system32\drivers\pshook11.sys <Not Verified; TrekBlue, LLC; Anti-Virus Engine>
2008-01-29 12:27:25 0 d-------- D:\Program Files\INAC
2008-01-29 11:19:32 0 d-------- D:\WINDOWS\system32\drivers\INFUpdate
2008-01-29 11:18:15 0 d-------- D:\WINDOWS\system32\drivers\IAA
2008-01-29 01:33:57 0 d-------- D:\Program Files\Microsoft Silverlight
2008-01-28 22:01:31 106496 --a------ D:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-01-28 22:00:59 26784 -----n--- D:\WINDOWS\system32\drivers\incdpass.sys <Not Verified; Ahead Software; InCD>
2008-01-28 22:00:59 85360 -----n--- D:\WINDOWS\system32\drivers\incdfs.sys
2008-01-28 22:00:57 0 d-------- D:\WINDOWS\InCD
2008-01-28 22:00:36 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\NeroVision
2008-01-28 21:59:00 89184 -----n--- D:\WINDOWS\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>
2008-01-28 21:58:28 38912 --a------ D:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-01-28 21:58:26 155648 --a------ D:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-01-28 21:58:26 544768 --a------ D:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2008-01-28 21:58:26 569344 --a------ D:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2008-01-28 20:51:15 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Nero
2008-01-28 20:47:27 0 d-------- D:\Program Files\Common Files\Nero
2008-01-28 20:47:27 0 d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-01-28 15:24:59 0 d-------- D:\Program Files\CamStudio
2008-01-25 20:42:26 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Motive
2008-01-25 20:40:38 0 d-------- D:\WINDOWS\Motive
2008-01-25 20:31:26 0 d-------- D:\Documents and Settings\All Users\Application Data\Motive
2008-01-25 20:31:23 589824 --a------ D:\WINDOWS\system32\MCCDNSHLP_1-0-0_DSR.dll <Not Verified; Motive Communications, Inc.; >
2008-01-25 20:31:15 0 d-------- D:\Program Files\Common Files\Motive
2008-01-24 20:13:23 0 d-------- D:\Fraps
2008-01-22 10:01:31 0 d-------- D:\L2blaze
2008-01-22 03:23:05 36 --a------ D:\Autoexec.bat
2008-01-22 03:23:04 100 --a------ D:\WINDOWS\DelIndex.BAT
2008-01-22 03:22:31 11665 --a------ D:\WINDOWS\system32\Uwrqwapibp.dll
2008-01-16 05:13:20 0 d-------- D:\l2tc
2008-01-15 21:36:13 0 d-------- D:\Program Files\KeyScrambler
2008-01-14 21:16:51 0 d-------- D:\WINDOWS\pss
2008-01-14 07:52:00 81920 --a------ D:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>
2008-01-10 05:21:08 18172 --a------ D:\WINDOWS\system32\pguard.dat
2008-01-10 05:21:08 271220 --a------ D:\WINDOWS\system32\pghash.dat
2008-01-10 05:17:05 106496 --a------ D:\WINDOWS\system32\procguard.dll
2008-01-10 05:17:05 24911 --a------ D:\WINDOWS\system32\drivers\procguard.sys
2008-01-10 05:17:04 0 d-------- D:\Program Files\ProcessGuard
2008-01-09 08:04:02 0 d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-09 07:16:54 0 --a------ D:\WINDOWS\ativpsrm.bin
2008-01-08 09:25:13 44544 -ra------ D:\WINDOWS\system32\MSXML4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-01-08 09:25:13 626960 -ra------ D:\WINDOWS\system32\hpvaut32.dll <Not Verified; Microsoft Corporation; >
2008-01-08 09:21:58 0 d-------- D:\Program Files\Hewlett-Packard
2008-01-08 09:21:15 0 d-------- D:\Program Files\HP
2008-01-08 08:55:59 0 d-------- D:\Documents and Settings\NetworkService\Application Data\Acronis
2008-01-08 03:20:31 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\PCHealth
2008-01-08 03:18:44 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\WinZip E-Mail Companion
2008-01-08 01:06:30 10047 --a------ D:\WINDOWS\msvrc20.dll
2008-01-08 00:48:26 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\.BitTornado


-- Find3M Report ---------------------------------------------------------------

2008-02-08 00:42:44 9617322 --ah----- D:\Documents and Settings\Sheila Joy\Application Data\IconCache.db
2008-02-04 00:14:08 10752 --a------ D:\Documents and Settings\Sheila Joy\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-03 11:08:28 4212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2008-01-30 22:22:38 69544 --a------ D:\Documents and Settings\Sheila Joy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-07 02:29:38 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Active Disk
2008-01-06 13:21:30 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Google
2008-01-06 01:17:52 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Sun
2008-01-05 21:01:48 24990 --a------ D:\WINDOWS\system32\VFP6RUN.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual FoxPro®>
2008-01-05 21:01:46 876032 --a------ D:\WINDOWS\system32\VFP6RENU.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual FoxPro®>
2008-01-05 21:01:46 3370256 --a------ D:\WINDOWS\system32\VFP6R.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual FoxPro®>
2008-01-05 12:19:30 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Business Logic
2008-01-05 12:04:48 0 d-------- D:\Program Files\WinZip E-Mail Companion
2008-01-05 10:30:28 147456 --a------ D:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-05 10:03:46 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\LimeWire
2008-01-05 10:02:06 0 d-------- D:\Program Files\Java
2008-01-05 10:00:56 0 d-------- D:\Program Files\Common Files\Java
2008-01-05 08:57:42 0 d-------- D:\Program Files\Common Files\Adobe
2008-01-02 06:59:26 0 d-------- D:\Program Files\Microsoft Works
2008-01-02 06:56:16 0 d-------- D:\Program Files\Microsoft.NET
2008-01-02 06:56:16 0 d-------- D:\Program Files\Common Files\ODBC
2008-01-02 06:51:30 0 d-------- D:\Program Files\Microsoft SQL Server
2008-01-02 06:48:40 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Microsoft Help
2008-01-01 20:55:46 0 d-------- D:\Program Files\MSXML 4.0
2008-01-01 09:27:28 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\atitray
2008-01-01 09:13:14 0 d-------- D:\Program Files\MultiRes
2007-12-29 12:41:18 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\CyberLink <CYBERL~1>
2007-12-29 12:36:54 0 d-------- D:\Program Files\CyberLink <CYBERL~1>
2007-12-29 11:24:24 0 d-------- D:\Program Files\Windows Media Components
2007-12-29 03:03:32 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\ATI
2007-12-29 03:01:40 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Steam
2007-12-29 02:52:40 0 d-------- D:\Program Files\Common Files\InstallShield
2007-12-28 10:04:42 0 d-------- D:\Program Files\Microsoft SQL Server Compact Edition
2007-12-28 09:55:42 0 d--hs---- D:\Program Files\Common Files\WindowsLiveInstaller
2007-12-28 09:55:14 0 d-------- D:\Program Files\Windows Live
2007-12-27 19:15:32 0 d--h----- D:\Program Files\InstallShield Installation Information
2007-12-27 19:15:18 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\InstallShield
2007-12-25 19:19:10 0 d-------- D:\Program Files\IObit
2007-12-25 07:19:46 0 d-------- D:\Program Files\Lineage II
2007-12-25 01:53:24 0 d-------- D:\Program Files\Yahoo!
2007-12-25 00:15:28 0 d-------- D:\Program Files\MSXML 6.0
2007-12-24 21:36:36 0 d-------- D:\Program Files\Download Manager
2007-12-24 21:36:08 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\IGN_DLM
2007-12-24 09:28:52 0 d-------- D:\Program Files\MSBuild
2007-12-24 09:21:02 0 d-------- D:\Program Files\Reference Assemblies
2007-12-24 09:11:02 0 d-------- D:\Program Files\Windows Media Connect 2
2007-12-24 07:18:42 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\MailFrontier
2007-12-24 00:15:20 0 d-------- D:\Program Files\microsoft frontpage
2007-12-24 00:13:42 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\WinRAR
2007-12-24 00:13:42 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\teamspeak2
2007-12-24 00:13:42 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\ApplicationHistory
2007-12-24 00:13:42 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Ahead
2007-12-24 00:13:40 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Macromedia
2007-12-24 00:13:40 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Identities
2007-12-24 00:13:40 0 d-------- D:\Documents and Settings\Sheila Joy\Application Data\Adobe
2007-12-24 00:11:36 208384 --a------ D:\WINDOWS\system32\migicons.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-24 00:08:32 0 d-------- D:\Program Files\Common Files\MSSoap
2007-12-24 00:07:14 21640 --a------ D:\WINDOWS\system32\emptyregdb.dat
2007-12-24 00:06:32 0 d-------- D:\Program Files\Windows NT
2007-12-24 00:00:48 0 d-------- D:\Program Files\Common Files\SpeechEngines
2007-12-23 23:04:34 126714 ---h----- D:\WINDOWS\ShellIconCache
2007-12-23 22:24:58 0 d-------- D:\Program Files\Common Files\Ahead
2007-12-23 22:24:56 0 d-------- D:\Program Files\Ahead
2007-12-23 19:00:32 62 --ahs---- D:\Documents and Settings\Sheila Joy\Application Data\desktop.ini
2007-12-23 10:54:54 149 --a------ D:\WINDOWS\msrstr.dat
2007-12-23 09:49:38 1160 --a------ D:\Documents and Settings\Sheila Joy\Application Data\dw.log
2007-12-23 09:46:18 0 --a------ D:\WINDOWS\nsreg.dat
2007-12-23 06:54:34 0 d-------- D:\Program Files\Teamspeak2_RC2
2007-12-23 06:37:02 75 --a------ D:\Documents and Settings\Sheila Joy\Application Data\fusioncache.dat
2007-12-23 05:45:44 0 d-------- D:\Program Files\WindowsUpdate
2007-12-23 05:41:28 200736 -r-h----- D:\WINDOWS\HWINFO.DAT
2007-12-23 05:40:30 23357 ---h----- D:\Program Files\folder.htt
2007-12-23 05:40:30 271 ---hs---- D:\Program Files\desktop.ini
2007-12-23 05:38:44 6093 --ah----- D:\WINDOWS\ttfCache
2007-12-23 05:33:48 18939 --a------ D:\WINDOWS\SETVER.EXE
2007-12-23 05:32:26 0 d-------- D:\Program Files\MSN Gaming Zone
2007-12-23 05:29:44 0 d-------- D:\Program Files\Online Services
2007-12-23 05:20:46 0 d-------- D:\Program Files\Plus!
2007-12-23 05:20:46 0 d-------- D:\Program Files\Movie Maker
2007-12-23 05:20:46 0 d-------- D:\Program Files\Messenger
2007-12-23 05:20:46 0 d-------- D:\Program Files\Common Files
2007-12-23 05:20:46 0 d-------- D:\Program Files\Accessories
2007-11-29 16:50:20 4096 --a------ D:\WINDOWS\system32\sysres.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [03/14/2007 09:01 PM]
"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [03/04/2004 10:46 AM]
"!1_pgaccount"="D:\Program Files\ProcessGuard\pgaccount.exe" [01/20/2005 02:14 PM]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"!1_ProcessGuard_Startup"="D:\Program Files\ProcessGuard\procguard.exe" [01/20/2005 02:24 PM]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"Veoh"="D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [01/30/2008 12:55 PM]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
D:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Zone Labs Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
D:\WINDOWS\SYSTEM32\updcrl.exe -e -u D:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-02-08 13:49:25 -------------------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 08, 2008 1:41:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/02/2008
Kaspersky Anti-Virus database records: 555438
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 44072
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:55:31

Infected Object Name / Virus Name / Last Action
D:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
D:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
D:\WINDOWS\SYSTEM32\DRIVERS\procguard.sys Object is locked skipped
D:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
D:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
D:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
D:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\OSession.evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\ODiag.evt Object is locked skipped
D:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
D:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
D:\WINDOWS\SYSTEM32\pguard.dat Object is locked skipped
D:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
D:\WINDOWS\SYSTEM32\pghash.dat Object is locked skipped
D:\WINDOWS\FONTS\Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
D:\WINDOWS\FONTS\a.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
D:\WINDOWS\FONTS\a.zip ZIP: infected - 1 skipped
D:\WINDOWS\TEMP\Perflib_Perfdata_1b4.dat Object is locked skipped
D:\WINDOWS\TEMP\ZLT04c84.TMP Object is locked skipped
D:\WINDOWS\TEMP\ZLT04cb2.TMP Object is locked skipped
D:\WINDOWS\SchedLog.Txt Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\HOME1.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Local Settings\Temp\~DF2B8.tmp Object is locked skipped
D:\Documents and Settings\Sheila Joy\Local Settings\Temp\~DF3809.tmp Object is locked skipped
D:\Documents and Settings\Sheila Joy\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Sheila Joy\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Sheila Joy\Application Data\MailFrontier\ASD.log Object is locked skipped
D:\Documents and Settings\Sheila Joy\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Sheila Joy\ntuser.dat Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

Scan process completed.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    D:\FOUND.002
    D:\FOUND.001
    D:\FOUND.000
    D:\WINDOWS\system32\nGpxx18
    D:\Autoexec.bat
    D:\WINDOWS\DelIndex.BAT
    D:\WINDOWS\system32\Uwrqwapibp.dll
    D:\WINDOWS\FONTS\Crack.exe
    D:\WINDOWS\FONTS\a.zip
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new DSS log
  • 0

#5
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
a friend told me to also run SDfix and that got rid of the crack.exe

D:\FOUND.002 moved successfully.
D:\FOUND.001 moved successfully.
D:\FOUND.000 moved successfully.
D:\WINDOWS\system32\nGpxx18 moved successfully.
D:\Autoexec.bat moved successfully.
D:\WINDOWS\DelIndex.BAT moved successfully.
LoadLibrary failed for D:\WINDOWS\system32\Uwrqwapibp.dll
D:\WINDOWS\system32\Uwrqwapibp.dll NOT unregistered.
D:\WINDOWS\system32\Uwrqwapibp.dll moved successfully.
File/Folder D:\WINDOWS\FONTS\Crack.exe not found.
File/Folder D:\WINDOWS\FONTS\a.zip not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02082008_145148

Logfile of HijackThis v1.99.1
Scan saved at 2:57:02 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\my downloads\assorted programs and programfiles\dss.exe
D:\PROGRA~1\HIJACK~1\SHEILA~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://l2.hopzone.net
O15 - Trusted Zone: http://www.veoh.com
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198496957953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198854948453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - D:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)
  • 0

#6
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Also wanted to say thanks for all your help sorry forgot to add that in my last post
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O16 - DPF: Win32 Classes -

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Then tell me how your PC is running
  • 0

#8
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok that wasn't listed and im still getting redirected to dodouble.com

here is my current hijackthis log


gfile of HijackThis v1.99.1
Scan saved at 2:54:29 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 216.119.23.61 L2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://l2.hopzone.net
O15 - Trusted Zone: http://www.veoh.com
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198496957953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198854948453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - D:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Strange

Do this

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#10
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
One more time let me say Thanks for all your help
Edit: also still getting this stupid dodouble site god im hateing that site more and more every day


ComboFix 08-02.05.3 - Sheila Joy 2008-02-09 10:43:08.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT -5:00]
Running from: D:\Documents and Settings\Sheila Joy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\msvrc20.dll
D:\WINDOWS\start.exe
D:\WINDOWS\system32\_000005_.tmp.dll
D:\WINDOWS\system32\windows.scr
D:\WINDOWS\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 22:22 . 2008-02-08 22:22 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-02-08 22:22 . 2008-02-08 22:22 1,409 --a------ D:\WINDOWS\QTFont.for
2008-02-08 22:07 . 2008-02-08 22:07 <DIR> d-------- D:\Program Files\QuickTime
2008-02-08 22:07 . 2008-02-08 22:07 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-08 19:04 . 2008-02-08 19:04 <DIR> d-------- D:\Documents and Settings\NetworkService\Application Data\Apple
2008-02-08 14:51 . 2008-02-08 14:51 <DIR> d-------- D:\_OTMoveIt
2008-02-08 14:30 . 2008-02-08 14:30 <DIR> d-------- D:\WINDOWS\ERUNT
2008-02-08 14:30 . 2008-02-07 15:37 <DIR> d-------- D:\SDFix
2008-02-08 13:46 . 2008-02-08 13:46 <DIR> d-------- D:\Deckard
2008-02-08 10:27 . 2008-02-08 10:27 <DIR> d-------- D:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-08 10:27 . 2008-02-08 10:27 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-08 00:00 . 2008-02-08 00:00 12,052 --a------ D:\Charis Sig2.JPG
2008-02-07 23:57 . 2008-02-07 23:57 13,398 --a------ D:\Charis Sig.JPG
2008-02-07 23:57 . 2008-02-07 23:57 9,385 --a------ D:\Charis Sig1.JPG
2008-02-07 23:52 . 2008-02-07 23:53 240,054 --a------ D:\Charis Sig.bmp
2008-02-07 09:27 . 2008-02-07 09:27 <DIR> d-------- D:\Program Files\Lavasoft
2008-02-07 09:15 . 2008-02-07 09:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 09:13 . 2008-02-07 09:13 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 07:25 . 2008-02-07 07:25 <DIR> d-------- D:\WINDOWS\SYSTEM32\ActiveScan
2008-02-07 07:25 . 2008-02-07 08:59 30,590 --a------ D:\WINDOWS\SYSTEM32\pavas.ico
2008-02-07 07:25 . 2008-02-07 08:59 2,550 --a------ D:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-07 07:25 . 2008-02-07 08:59 1,406 --a------ D:\WINDOWS\SYSTEM32\Help.ico
2008-02-04 22:48 . 2008-02-04 22:48 <DIR> d-------- D:\Program Files\Apple Software Update
2008-02-04 22:48 . 2008-02-04 22:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2008-02-04 22:44 . 2008-02-04 22:44 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\Apple Computer
2008-02-04 20:42 . 2008-02-04 20:42 <DIR> d-------- D:\Program Files\Veoh Networks
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ D:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ D:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-31 21:33 . 2008-01-31 21:33 <DIR> d-------- D:\Program Files\CCleaner
2008-01-30 20:23 . 2008-01-30 20:23 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-30 15:50 . 2008-01-30 15:50 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\Grisoft
2008-01-30 15:48 . 2007-05-30 07:10 10,872 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-30 15:47 . 2008-01-30 15:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 15:23 . 2008-01-30 15:23 <DIR> d-------- D:\VundoFix Backups
2008-01-29 14:48 . 2008-01-29 14:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-01-29 14:39 . 2007-12-20 21:05 593,920 --------- D:\WINDOWS\SYSTEM32\ati2sgag.exe
2008-01-29 14:31 . 2008-01-29 14:33 664 --a------ D:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-01-29 14:25 . 2008-01-29 14:25 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\INAC
2008-01-29 14:25 . 2008-01-29 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\INAC
2008-01-29 14:15 . 2008-01-29 14:15 <DIR> d-------- D:\Program Files\ATI Technologies
2008-01-29 12:28 . 2008-01-29 14:21 67,645 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\pshook11.sys
2008-01-29 12:27 . 2008-01-29 12:27 <DIR> d-------- D:\Program Files\INAC
2008-01-29 11:19 . 2004-09-10 15:52 <DIR> d-------- D:\WINDOWS\SYSTEM32\DRIVERS\INFUpdate
2008-01-29 11:18 . 2005-01-06 10:19 <DIR> d-------- D:\WINDOWS\SYSTEM32\DRIVERS\IAA
2008-01-29 01:33 . 2008-01-29 01:33 <DIR> d-------- D:\Program Files\Microsoft Silverlight
2008-01-29 01:03 . 2008-02-01 21:03 40 --a------ D:\WINDOWS\nero.INI
2008-01-28 22:01 . 2003-07-13 02:49 1,204,224 --------- D:\WINDOWS\UNMRW.exe
2008-01-28 22:01 . 2003-07-13 02:49 1,155,072 --------- D:\WINDOWS\UNNMIX.exe
2008-01-28 22:01 . 2003-07-13 02:49 1,155,072 --------- D:\WINDOWS\NuNinst.exe
2008-01-28 22:01 . 2003-07-13 02:49 172,248 --------- D:\WINDOWS\UNNMIX.cfg
2008-01-28 22:01 . 2003-07-13 02:50 106,496 --a------ D:\WINDOWS\SYSTEM32\TwnLib20.dll
2008-01-28 22:01 . 2003-07-13 02:49 47,262 --------- D:\WINDOWS\NuNinst.cfg
2008-01-28 22:01 . 2003-07-13 02:49 29,390 --------- D:\WINDOWS\UNMRW.cfg
2008-01-28 22:01 . 2003-07-13 02:49 23,920 --------- D:\WINDOWS\SYSTEM32\DRIVERS\incdrm.sys
2008-01-28 22:00 . 2008-01-28 22:00 <DIR> d-------- D:\WINDOWS\InCD
2008-01-28 22:00 . 2008-01-28 22:00 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\NeroVision
2008-01-28 22:00 . 2003-07-13 02:50 1,155,072 --------- D:\WINDOWS\UNNeroVision.exe
2008-01-28 22:00 . 2003-07-13 02:49 85,360 --------- D:\WINDOWS\SYSTEM32\DRIVERS\incdfs.sys
2008-01-28 22:00 . 2003-07-13 02:50 65,056 --------- D:\WINDOWS\UNNeroVision.cfg
2008-01-28 22:00 . 2003-07-13 02:49 26,784 --------- D:\WINDOWS\SYSTEM32\DRIVERS\incdpass.sys
2008-01-28 22:00 . 2003-07-13 02:49 4,976 --------- D:\WINDOWS\SYSTEM32\DRIVERS\incdrec.sys
2008-01-28 21:59 . 2003-07-13 02:49 89,184 --------- D:\WINDOWS\SYSTEM32\DRIVERS\imagedrv.sys
2008-01-28 21:59 . 2003-07-13 02:49 57,344 --------- D:\WINDOWS\SYSTEM32\ImageDrive.cpl
2008-01-28 21:58 . 2003-07-13 02:50 569,344 --a------ D:\WINDOWS\SYSTEM32\imagr5.dll
2008-01-28 21:58 . 2003-07-13 02:50 544,768 --a------ D:\WINDOWS\SYSTEM32\imagx5.dll
2008-01-28 21:58 . 2003-07-13 02:50 283,920 --a------ D:\WINDOWS\SYSTEM32\ImagXpr5.dll
2008-01-28 21:58 . 2003-07-13 02:49 155,648 --a------ D:\WINDOWS\SYSTEM32\NeroCheck.exe
2008-01-28 21:58 . 2003-07-13 02:50 38,912 --a------ D:\WINDOWS\SYSTEM32\picn20.dll
2008-01-28 21:13 . 2008-01-28 21:13 0 --a------ D:\WINDOWS\Irremote.ini
2008-01-28 20:51 . 2008-01-28 20:51 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\Nero
2008-01-28 20:47 . 2008-01-28 20:47 <DIR> d-------- D:\Program Files\Common Files\Nero
2008-01-28 20:47 . 2008-01-28 20:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Nero
2008-01-28 15:39 . 2001-05-11 13:18 420,240 --a------ D:\WINDOWS\SYSTEM32\mpg4c32.dll
2008-01-28 15:39 . 2001-05-16 17:54 309,616 --a------ D:\WINDOWS\SYSTEM32\wmv8dmod.dll
2008-01-28 15:39 . 2001-03-26 04:41 245,760 --a------ D:\WINDOWS\SYSTEM32\mp4sds32.ax
2008-01-28 15:24 . 2008-01-28 15:25 <DIR> d-------- D:\Program Files\CamStudio
2008-01-27 11:16 . 2008-01-27 11:17 268 --ah----- D:\sqmdata06.sqm
2008-01-27 11:16 . 2008-01-27 11:17 244 --ah----- D:\sqmnoopt06.sqm
2008-01-26 22:23 . 2008-01-26 22:23 0 --a------ D:\WINDOWS\SelSet.INI
2008-01-26 15:59 . 2004-08-03 23:08 31,616 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2008-01-26 15:59 . 2004-08-03 23:08 31,616 --a------ D:\WINDOWS\SYSTEM32\dllcache\usbccgp.sys
2008-01-26 15:59 . 2004-08-04 00:56 21,504 --a------ D:\WINDOWS\SYSTEM32\hidserv.dll
2008-01-26 15:59 . 2004-08-04 00:56 21,504 --a------ D:\WINDOWS\SYSTEM32\dllcache\hidserv.dll
2008-01-26 15:59 . 2004-08-03 22:58 14,848 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2008-01-26 15:59 . 2004-08-03 22:58 14,848 --a------ D:\WINDOWS\SYSTEM32\dllcache\kbdhid.sys
2008-01-26 15:59 . 2001-08-17 13:48 12,160 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2008-01-26 15:59 . 2001-08-17 13:48 12,160 --a------ D:\WINDOWS\SYSTEM32\dllcache\mouhid.sys
2008-01-26 15:59 . 2001-08-17 14:02 9,600 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-01-26 15:59 . 2001-08-17 14:02 9,600 --a------ D:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
2008-01-25 20:42 . 2008-01-25 20:42 <DIR> d-------- D:\Documents and Settings\Sheila Joy\Application Data\Motive
2008-01-25 20:40 . 2008-01-25 20:40 <DIR> d-------- D:\WINDOWS\Motive
2008-01-25 20:31 . 2008-01-25 20:31 <DIR> d-------- D:\Program Files\Common Files\Motive
2008-01-25 20:31 . 2008-01-25 20:31 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Motive
2008-01-25 20:31 . 2004-08-11 01:50 589,824 --a------ D:\WINDOWS\SYSTEM32\MCCDNSHLP_1-0-0_DSR.dll
2008-01-24 20:13 . 2008-01-24 20:13 <DIR> d-------- D:\Fraps
2008-01-22 10:01 . 2008-01-22 10:01 <DIR> d-------- D:\L2blaze
2008-01-16 05:13 . 2008-01-16 05:13 <DIR> d-------- D:\l2tc
2008-01-15 21:36 . 2008-01-15 21:36 <DIR> d-------- D:\Program Files\KeyScrambler
2008-01-15 21:36 . 2007-12-29 09:35 112,992 --a------ D:\WINDOWS\SYSTEM32\DRIVERS\keyscrambler.sys
2008-01-14 07:52 . 2008-01-14 07:52 81,920 --a------ D:\WINDOWS\SYSTEM32\frapsvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 15:55 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-02-09 15:55 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-02-08 05:43 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBBE.tmp
2008-02-08 05:43 1,457,152 ------w D:\WINDOWS\Internet Logs\xDBBD.tmp
2008-02-07 17:57 1,606,656 ------w D:\WINDOWS\Internet Logs\xDBBC.tmp
2008-02-07 09:12 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBBB.tmp
2008-02-07 06:26 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBBA.tmp
2008-02-07 06:26 1,212,416 ------w D:\WINDOWS\Internet Logs\xDBB9.tmp
2008-02-07 01:57 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBB8.tmp
2008-02-06 05:02 1,958,912 ------w D:\WINDOWS\Internet Logs\xDBB7.tmp
2008-02-05 07:09 1,439,232 ------w D:\WINDOWS\Internet Logs\xDBB6.tmp
2008-02-04 23:48 526,848 ------w D:\WINDOWS\Internet Logs\xDBB5.tmp
2008-02-04 21:08 734,720 ------w D:\WINDOWS\Internet Logs\xDBB4.tmp
2008-02-04 15:10 69,120 ------w D:\WINDOWS\Internet Logs\xDBB3.tmp
2008-02-04 12:55 150,016 ------w D:\WINDOWS\Internet Logs\xDBB2.tmp
2008-02-04 05:31 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBB1.tmp
2008-02-04 05:31 1,307,648 ------w D:\WINDOWS\Internet Logs\xDBB0.tmp
2008-02-03 20:30 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBAF.tmp
2008-02-03 20:30 3,506,176 ------w D:\WINDOWS\Internet Logs\xDBAE.tmp
2008-02-02 07:18 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBAD.tmp
2008-02-02 07:18 1,098,752 ------w D:\WINDOWS\Internet Logs\xDBAC.tmp
2008-02-01 05:52 882,176 ------w D:\WINDOWS\Internet Logs\xDBAA.tmp
2008-02-01 05:52 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBAB.tmp
2008-02-01 01:34 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBA9.tmp
2008-02-01 01:34 46,080 ------w D:\WINDOWS\Internet Logs\xDBA8.tmp
2008-02-01 00:18 168,448 ------w D:\WINDOWS\Internet Logs\xDBA7.tmp
2008-01-31 10:58 1,687,552 ------w D:\WINDOWS\Internet Logs\xDBA6.tmp
2008-01-31 06:46 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBA5.tmp
2008-01-31 06:46 1,212,416 ------w D:\WINDOWS\Internet Logs\xDBA4.tmp
2008-01-31 03:22 69,544 ----a-w D:\Documents and Settings\Sheila Joy\Application Data\GDIPFONTCACHEV1.DAT
2008-01-31 02:57 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBA3.tmp
2008-01-31 02:57 164,864 ------w D:\WINDOWS\Internet Logs\xDBA2.tmp
2008-01-31 01:21 5,505,024 ------w D:\WINDOWS\Internet Logs\xDBA1.tmp
2008-01-31 01:21 2,760,192 ------w D:\WINDOWS\Internet Logs\xDBA0.tmp
2008-01-30 19:21 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB9F.tmp
2008-01-30 19:21 1,409,024 ------w D:\WINDOWS\Internet Logs\xDB9E.tmp
2008-01-30 17:22 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB9D.tmp
2008-01-30 17:22 1,081,344 ------w D:\WINDOWS\Internet Logs\xDB9C.tmp
2008-01-30 17:14 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB9B.tmp
2008-01-30 17:14 1,146,880 ------w D:\WINDOWS\Internet Logs\xDB9A.tmp
2008-01-30 16:43 1,343,488 ------w D:\WINDOWS\Internet Logs\xDB99.tmp
2008-01-30 15:45 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB98.tmp
2008-01-30 15:45 160,256 ------w D:\WINDOWS\Internet Logs\xDB97.tmp
2008-01-30 15:23 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB96.tmp
2008-01-30 15:23 1,081,344 ------w D:\WINDOWS\Internet Logs\xDB95.tmp
2008-01-30 08:26 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB94.tmp
2008-01-30 08:26 1,183,232 ------w D:\WINDOWS\Internet Logs\xDB93.tmp
2008-01-30 01:56 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB92.tmp
2008-01-30 01:56 1,600,000 ------w D:\WINDOWS\Internet Logs\xDB91.tmp
2008-01-29 19:18 676,864 ------w D:\WINDOWS\Internet Logs\xDB90.tmp
2008-01-29 16:31 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB8F.tmp
2008-01-29 07:02 587,776 ------w D:\WINDOWS\Internet Logs\xDB8E.tmp
2008-01-29 06:15 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB105.tmp
2008-01-29 04:22 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB8D.tmp
2008-01-29 04:22 1,081,344 ------w D:\WINDOWS\Internet Logs\xDB8C.tmp
2008-01-29 03:02 195,072 ------w D:\WINDOWS\Internet Logs\xDB8B.tmp
2008-01-29 02:21 2,129,920 ------w D:\WINDOWS\Internet Logs\xDB8A.tmp
2008-01-28 21:38 9,623,677 ------w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-28 01:57 863,232 ------w D:\WINDOWS\Internet Logs\xDB89.tmp
2008-01-27 18:36 863,744 ------w D:\WINDOWS\Internet Logs\xDB87.tmp
2008-01-27 18:36 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB88.tmp
2008-01-27 07:46 1,081,344 ------w D:\WINDOWS\Internet Logs\xDB86.tmp
2008-01-27 03:23 197,632 ------w D:\WINDOWS\Internet Logs\xDB85.tmp
2008-01-26 23:44 688,128 ------w D:\WINDOWS\Internet Logs\xDB83.tmp
2008-01-26 23:44 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB84.tmp
2008-01-26 16:55 504,320 ------w D:\WINDOWS\Internet Logs\xDB82.tmp
2008-01-26 05:52 993,792 ------w D:\WINDOWS\Internet Logs\xDB80.tmp
2008-01-26 05:52 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB81.tmp
2008-01-26 01:00 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB7F.tmp
2008-01-26 01:00 326,144 ------w D:\WINDOWS\Internet Logs\xDB7E.tmp
2008-01-25 23:50 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB7D.tmp
2008-01-25 23:50 1,300,992 ------w D:\WINDOWS\Internet Logs\xDB7C.tmp
2008-01-25 15:33 707,072 ------w D:\WINDOWS\Internet Logs\xDB7A.tmp
2008-01-25 15:33 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB7B.tmp
2008-01-25 04:49 599,552 ------w D:\WINDOWS\Internet Logs\xDB78.tmp
2008-01-25 04:49 5,505,024 ------w D:\WINDOWS\Internet Logs\xDB79.tmp
2008-01-25 02:11 1,081,344 ------w D:\WINDOWS\Internet Logs\xDB77.tmp
2008-01-24 06:15 530,944 ------w D:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-24 06:14 4,454,400 ------w D:\WINDOWS\Internet Logs\xDB76.tmp
2008-01-24 02:51 4,453,888 ------w D:\WINDOWS\Internet Logs\xDB74.tmp
2008-01-24 02:51 2,086,912 ------w D:\WINDOWS\Internet Logs\xDB73.tmp
2008-01-23 09:59 4,453,376 ------w D:\WINDOWS\Internet Logs\xDB72.tmp
2008-01-23 09:59 1,765,376 ------w D:\WINDOWS\Internet Logs\xDB71.tmp
2008-01-23 01:17 4,451,328 ------w D:\WINDOWS\Internet Logs\xDB70.tmp
2008-01-23 01:17 1,655,808 ------w D:\WINDOWS\Internet Logs\xDB6F.tmp
2008-01-22 09:13 111,104 ------w D:\WINDOWS\Internet Logs\xDB6E.tmp
2008-01-22 08:52 2,839,040 ------w D:\WINDOWS\Internet Logs\xDB6D.tmp
2008-01-21 04:40 858,112 ------w D:\WINDOWS\Internet Logs\xDB6B.tmp
2008-01-21 04:40 4,428,800 ------w D:\WINDOWS\Internet Logs\xDB6C.tmp
2008-01-20 05:45 4,428,288 ------w D:\WINDOWS\Internet Logs\xDB6A.tmp
2008-01-20 05:45 1,413,120 ------w D:\WINDOWS\Internet Logs\xDB69.tmp
2008-01-19 21:46 4,427,776 ------w D:\WINDOWS\Internet Logs\xDB68.tmp
2008-01-19 21:46 177,664 ------w D:\WINDOWS\Internet Logs\xDB67.tmp
2008-01-19 20:43 599,040 ------w D:\WINDOWS\Internet Logs\xDB65.tmp
2008-01-19 20:43 4,426,240 ------w D:\WINDOWS\Internet Logs\xDB66.tmp
2008-01-19 06:42 4,425,216 ------w D:\WINDOWS\Internet Logs\xDB64.tmp
2008-01-19 06:42 1,132,544 ------w D:\WINDOWS\Internet Logs\xDB63.tmp
2008-01-18 07:16 4,424,192 ------w D:\WINDOWS\Internet Logs\xDB62.tmp
2008-01-18 07:16 322,048 ------w D:\WINDOWS\Internet Logs\xDB61.tmp
2008-01-18 06:15 88,448 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_18_01_02_52_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"!1_ProcessGuard_Startup"="D:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 14:24 280064]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Veoh"="D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 12:55 3497984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01 71216]
"HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"!1_pgaccount"="D:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 14:14 184320]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
D:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Zone Labs Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

R0 tdrpman;tdrpman;D:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-01-05 11:35]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};D:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-19 21:37]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;"D:\Program Files\ProcessGuard\dcsuserprot.exe" [2005-01-20 14:25]
R2 procguard;procguard;D:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
R3 KeyScrambler;KeyScrambler;D:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 09:35]
S1 atitray;atitray;D:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys []
S3 MS1000;MS1000;D:\WINDOWS\system32\DRIVERS\MS1000.sys [2007-12-25 15:50]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"D:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
D:\WINDOWS\SYSTEM32\updcrl.exe -e -u D:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 04:00:04 D:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-02-09 15:49:00 D:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- D:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-02-09 00:03:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 10:59:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\WINDOWS\SYSTEM32\ZONELABS\avsys\ScanningProcess.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-02-09 11:03:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 16:03:16
.
2008-01-23 01:06:50 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 11:08:57 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\ProcessGuard\dcsuserprot.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
D:\Program Files\ProcessGuard\pgaccount.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\ProcessGuard\procguard.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [!1_pgaccount] "D:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "D:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://l2.hopzone.net
O15 - Trusted Zone: http://www.veoh.com
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab57176.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198496957953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198854948453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - D:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - D:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)

Edited by Charis1973, 09 February 2008 - 10:13 AM.

  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

D:\WINDOWS\SYSTEM32\updcrl.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Let me know if you are still getting redirected
  • 0

#12
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
File has already been analysed:
MD5: ca32888d236bc9d229daca00c51fe0fb
Date: 02.05.2008 14:00:28 (CET) [>4D]
Results: 0/32
Permalink: analisis/210202dd71e306e2b8411d1845c1bf52


Dr Web found no viruses so its not allowing me to do a log

still geting redirected

Edited by Charis1973, 09 February 2008 - 10:33 AM.

  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Strange

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the box beside Reg - Disabled MS Config Items.
  • Under Rootkit Search change that to Yes.
  • Under Files Created Within change it to 90 days, do the same for Files Modified Within
  • Check the box at the top for Scan all user accounts
  • Under Drivers change it to Non-Microsoft
  • Under Additional Scans check the boxes beside File - Additional Folder Scan, Reg- Bot Check, and File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.

Edited by Rorschach112, 09 February 2008 - 11:37 AM.

  • 0

#14
Charis1973

Charis1973

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
it won't let me do an attachment because the file is 543 k going to try to zip it and see if it will let me load it that way

Attached File  WinPFind35.zip   48.88KB   50 downloads

Edited by Charis1973, 09 February 2008 - 02:45 PM.

  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn...st/srchcust.htm
YN -> HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn...st/srchasst.htm
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YY -> ADUserMon hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Iomega\AutoDisk\ADUserMon.exe
YN -> AtiPTA hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> atiptaxx.exe
[Files/Folders - Created Within 90 days]
YY -> 1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 90 days]
YY -> 1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp
YY -> 6 D:\WINDOWS\Temp\*.tmp files -> D:\WINDOWS\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.


Tell me how your PC is running then
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP