Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware constantly reinstalling [CLOSED]


  • This topic is locked This topic is locked

#1
Larrytom2

Larrytom2

    Member

  • Member
  • PipPip
  • 10 posts
Hello,

I am working on a machine that has spyware. I had to run spy sweeper in safe mode to begin with just to be able to run it. When it finally showed clean I booted to normal mode. At this point it appears the spyware is reinstalling. I have run spy sweeper in normal mode several times and now it shows clean, but I am getting a yellow triangle saying Windows antivirus on the task bar stating I have spyware and to scan machine. While working I have a error about Work Offline/Try Again, I have internet disconnected at this point. I also get a window saying windows security alert download spyware remover yes/no. I originally installed spybot but got a message that the file was changed, I removed it. I have pasted a copy of the latest hijack this log. Any help is appreciated.

Thanks,
Larry



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:26 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\program files\common files\aol\1141758959\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {275118CC-5C18-4E3A-8064-21A02C2D2525} - C:\WINDOWS\system32\actxprx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\Helper10.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202138408.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O21 - SSODL: SetupPrx - {9e4ed985-b39b-4c8e-a95e-a0341a65f6f7} - C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll
O21 - SSODL: zip - {f56290be-a5c7-4a9a-84a1-7cd2196a3449} - C:\WINDOWS\Installer\{f56290be-a5c7-4a9a-84a1-7cd2196a3449}\zip.dll
O21 - SSODL: KbdWin - {0170a502-0496-4434-b37c-597ffd7861b0} - C:\WINDOWS\Installer\{0170a502-0496-4434-b37c-597ffd7861b0}\KbdWin.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9263 byte
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Larrytom2

Larrytom2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Rorschach112,

Here are the logs you requested.


SmitFraudFix v2.281

Scan done at 10:53:09.28, Tue 02/05/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.com
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.ca.com
10.18.250.4 www.f-secure.com
10.18.250.4 www.fastclick.net
10.18.250.4 www.grisoft.com
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.mcafee.com
10.18.250.4 www.my-etrust.com
10.18.250.4 www.nai.com
10.18.250.4 www.networkassociates.com
10.18.250.4 www.sophos.com
10.18.250.4 www.symantec.com
10.18.250.4 www.trendmicro.com
10.18.250.4 www.viruslist.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
TypeLib Not Found.
C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\findfast.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted
C:\Program Files\Helper\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B4E5E761-2B18-4A48-9EA0-021ADC4D6644}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B4E5E761-2B18-4A48-9EA0-021ADC4D6644}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-05 11:03:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-02-05 17:03:45 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:19 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1141758959\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {275118CC-5C18-4E3A-8064-21A02C2D2525} - C:\WINDOWS\system32\actxprx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [zuhwpgtc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zuhwpgtc.dll"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O21 - SSODL: SetupPrx - {9e4ed985-b39b-4c8e-a95e-a0341a65f6f7} - C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll
O21 - SSODL: zip - {f56290be-a5c7-4a9a-84a1-7cd2196a3449} - C:\WINDOWS\Installer\{f56290be-a5c7-4a9a-84a1-7cd2196a3449}\zip.dll
O21 - SSODL: KbdWin - {0170a502-0496-4434-b37c-597ffd7861b0} - C:\WINDOWS\Installer\{0170a502-0496-4434-b37c-597ffd7861b0}\KbdWin.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8660 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 giaexlym - c:\windows\system32\drivers\nnqvvtcn.dat
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys <Not Verified; VERITAS Software, Inc.; >
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys <Not Verified; VERITAS Software, Inc.; >
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys <Not Verified; VERITAS Software, Inc.; >
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S2 CDRPDACC (Arrowkey Device Access) - c:\program files\dvd x copy\shared\cdrpdacc.sys (file missing)
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\windows\system32\drivers\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 PCTINDIS5 (PCTINDIS5 NDIS Protocol Driver) - c:\windows\system32\pctindis5.sys <Not Verified; PCTEL Inc.; PCTEL Rawether for Windows>
S3 usbser (Motorola USB Modem Driver) - c:\windows\system32\drivers\usbser.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-05 10:53:32 2186 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-05 10:42:43 110592 --a------ C:\Documents and Settings\All Users\Application Data\zuhwpgtc.dll
2008-02-05 10:41:55 0 d-------- C:\Program Files\rtczxswm
2008-02-05 00:29:02 18944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-02-05 00:23:39 0 d-------- C:\Program Files\Ultimate Defender
2008-02-05 00:13:04 11776 --a------ C:\Program Files\tmp273437.exe <Not Verified; Search2find LLC; Search2find>
2008-02-04 23:59:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 23:42:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-04 22:07:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-04 22:07:11 0 d-------- C:\Program Files\Webroot
2008-02-04 22:07:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-04 22:05:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-04 18:21:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-04 09:53:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-02 21:11:16 19584 --a------ C:\WINDOWS\system32\drivers\nnqvvtcn.dat
2008-02-02 21:11:01 98709 --a------ C:\Documents and Settings\Owner\Application Data\sysdefender.exe
2008-02-02 21:08:17 84992 --a------ C:\WINDOWS\system32\actxprx.dll
2008-02-02 12:57:56 29436 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-02-02 12:56:21 0 d-------- C:\Documents and Settings\Owner\Application Data\ultra
2008-02-02 12:54:23 9728 --a------ C:\Documents and Settings\Owner\Application Data\printer.exe
2008-01-27 07:56:18 27136 -r-hs---- C:\Program Files\lsass.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2008-01-27 07:55:56 10240 --a------ C:\Program Files\spoolsv.exe <Not Verified; NoName Corp.; NNC module>


-- Find3M Report ---------------------------------------------------------------

2008-02-05 00:02:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-04 23:59:41 0 d-------- C:\Program Files\Belkin Bulldog Plus
2008-02-04 23:57:56 0 d-------- C:\Program Files\Lavasoft
2008-02-04 23:57:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-12-25 14:30:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 1.70GHz
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 253.98 MiB / 62.74 MiB
Pagefile Memory (total/avail): 432.66 MiB / 193.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.64 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.23 GiB total, 13.11 GiB free.
D: is Fixed (FAT32) - 5.02 GiB total, 1.22 GiB free.
E: is CDROM (No Media)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 5.03 GiB - D:
\PARTITION1 (bootable) - Installable File System - 32.23 GiB - C:

\\.\PHYSICALDRIVE1 - Memorex TD 2B USB Device - 235.33 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 237.98 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.469\\Bill.txt .exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\Rar$EX00.469\\Bill.txt .exe:*:Disabled:Bill.txt "
"C:\\Program Files\\Sunbelt Software\\iHateSpam\\siMailProxyServer.exe"="C:\\Program Files\\Sunbelt Software\\iHateSpam\\siMailProxyServer.exe:*:Enabled:siMailProxyServer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\Common Files\\First Virtual Communications\\CUCore.exe"="C:\\Program Files\\Common Files\\First Virtual Communications\\CUCore.exe:*:Enabled:Conferencing Engine Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1141758959\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1141758959\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1141758959\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1141758959\\EE\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LARRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
  • 0

#4
Larrytom2

Larrytom2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Pc is still very slow and appears to be accessing the hard drive constantly.
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll

  • Click Open.
  • Click Post.
Thank you!


Repeat that for this file

C:\WINDOWS\Installer\{0170a502-0496-4434-b37c-597ffd7861b0}\KbdWin.dll



Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
Larrytom2

Larrytom2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the next set of logs.

ComboFix 08-02.05.3 - Owner 2008-02-05 19:56:06.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\printer.exe
C:\Documents and Settings\Owner\Application Data\ultra
C:\Documents and Settings\Owner\Application Data\ultra\uninstall.bat
C:\Program Files\lsass.exe
C:\Program Files\spoolsv.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Defender
C:\WINDOWS\IA
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\actxprx.dll
C:\WINDOWS\system32\drivers\nnqvvtcn.dat
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GIAEXLYM
-------\giaexlym


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 12:15 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-02-05 12:15 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-02-05 12:15 . 2002-08-29 00:59 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2008-02-05 12:15 . 2004-08-04 01:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 12:15 . 2004-08-04 01:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-05 12:15 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-02-05 12:15 . 2001-08-17 13:28 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2008-02-05 12:14 . 2004-08-04 02:56 82,432 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-02-05 12:14 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-02-05 12:12 . 2004-08-04 00:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-02-05 12:11 . 2001-08-17 22:36 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-02-05 12:11 . 2004-08-04 00:59 79,104 --a--c--- C:\WINDOWS\system32\dllcache\rocket.sys
2008-02-05 12:09 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-05 12:08 . 2001-08-18 06:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-05 12:07 . 2001-08-18 06:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-02-05 12:06 . 2001-08-18 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-05 12:05 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-02-05 12:04 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-02-05 12:03 . 2001-08-17 22:36 256,512 --a--c--- C:\WINDOWS\system32\dllcache\devcon32.dll
2008-02-05 12:02 . 2001-08-18 06:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-05 12:01 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-02-05 12:00 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-05 11:59 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-02-05 11:58 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-02-05 11:58 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-02-05 11:58 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-02-05 11:58 . 2004-08-04 01:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-02-05 11:58 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-02-05 11:25 . 2008-02-05 11:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-05 11:24 . 2008-02-05 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 11:03 . 2008-02-05 11:03 <DIR> d-------- C:\Deckard
2008-02-05 10:53 . 2008-02-05 10:53 2,186 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-05 10:42 . 2008-02-05 10:42 110,592 --a------ C:\Documents and Settings\All Users\Application Data\zuhwpgtc.dll
2008-02-05 10:41 . 2008-02-05 10:41 <DIR> d-------- C:\Program Files\rtczxswm
2008-02-05 00:29 . 2005-06-17 17:06 18,944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-02-05 00:13 . 2008-02-05 00:13 11,776 --a------ C:\Program Files\tmp273437.exe
2008-02-04 23:59 . 2008-02-05 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 23:42 . 2008-02-04 23:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Program Files\Webroot
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-04 22:07 . 2008-02-04 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-04 22:07 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-04 22:07 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-04 22:07 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-04 22:07 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-02-04 22:05 . 2008-02-04 22:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-02-04 20:04 . 2008-02-04 20:04 269,334 --a------ C:\WINDOWS\system32\jqhsfql.bmp
2008-02-04 18:47 . 2008-02-04 18:47 269,334 --a------ C:\WINDOWS\system32\hgfqdkjehknmh.bmp
2008-02-04 18:25 . 2008-02-04 18:25 269,334 --a------ C:\WINDOWS\system32\hgnqtojap.bmp
2008-02-04 18:21 . 2008-02-05 00:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-04 18:19 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-04 18:19 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-04 17:55 . 2008-02-04 17:55 269,334 --a------ C:\WINDOWS\system32\nqtsjep.bmp
2008-02-04 17:49 . 2008-02-04 17:49 269,334 --a------ C:\WINDOWS\system32\jqlorel.bmp
2008-02-04 17:42 . 2008-02-04 17:42 269,334 --a------ C:\WINDOWS\system32\kbehofqh.bmp
2008-02-04 10:43 . 2008-02-04 10:43 269,334 --a------ C:\WINDOWS\system32\fmtknap.bmp
2008-02-04 10:10 . 2008-02-05 00:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-04 10:02 . 2008-02-04 10:02 269,334 --a------ C:\WINDOWS\system32\bipgfil.bmp
2008-02-04 09:53 . 2008-02-04 09:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-04 09:46 . 2008-02-04 09:46 269,334 --a------ C:\WINDOWS\system32\hsfmp.bmp
2008-02-04 09:18 . 2008-02-04 09:18 269,334 --a------ C:\WINDOWS\system32\ipgrqpgjmh.bmp
2008-02-04 09:15 . 2008-02-04 09:15 269,334 --a------ C:\WINDOWS\system32\knelkralgrqpcf.bmp
2008-02-03 10:08 . 2008-02-03 10:08 269,334 --a------ C:\WINDOWS\system32\hcjelsrelsnap.bmp
2008-02-02 21:11 . 2005-06-02 04:16 98,709 --a------ C:\Documents and Settings\Owner\Application Data\sysdefender.exe
2008-02-02 21:07 . 2008-02-02 21:07 269,334 --a------ C:\WINDOWS\system32\cnitgbalcrepor.bmp
2008-02-02 12:57 . 2008-02-02 12:57 269,334 --a------ C:\WINDOWS\system32\netobipgb.bmp
2008-02-02 12:57 . 2008-02-02 12:57 29,436 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-02-02 12:54 . 2005-07-07 05:43 18,944 --a------ C:\WINDOWS\system32\wowfx.baddll
2008-02-02 12:49 . 2008-02-05 00:23 160,560 --a------ C:\Program Files\udefender_setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 06:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 06:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-02-05 05:59 --------- d-----w C:\Program Files\Belkin Bulldog Plus
2008-02-05 05:57 --------- d-----w C:\Program Files\Lavasoft
2008-02-05 05:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2004-09-13 22:56 447,696 ----a-w C:\Documents and Settings\Temp\MsnMusic.exe
2004-09-02 22:40 57,344 ----a-w C:\Documents and Settings\Temp\InstHelp.dll
2004-08-17 05:21 245,408 ----a-w C:\Documents and Settings\Temp\unicows.dll
2004-08-11 06:45 819,200 ----a-w C:\Documents and Settings\Temp\setup_wm.exe
2001-08-18 12:00 94,784 --sha-w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sha-w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{275118CC-5C18-4E3A-8064-21A02C2D2525}]
C:\WINDOWS\system32\actxprx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"POINTER"="point32.exe" []
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 33280 C:\WINDOWS\system32\rundll32.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe" [2006-09-25 18:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 06:50 71216]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-02-05 11:24 406016]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 01:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-02-05 11:24 146432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet d series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-03-05 03:28:42 491582]


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:57, on 2008-02-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1141758959\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {275118CC-5C18-4E3A-8064-21A02C2D2525} - C:\WINDOWS\system32\actxprx.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1141758959\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\ServicePackFiles\i386\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O21 - SSODL: SetupPrx - {9e4ed985-b39b-4c8e-a95e-a0341a65f6f7} - C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll
O21 - SSODL: zip - {f56290be-a5c7-4a9a-84a1-7cd2196a3449} - C:\WINDOWS\Installer\{f56290be-a5c7-4a9a-84a1-7cd2196a3449}\zip.dll
O21 - SSODL: KbdWin - {0170a502-0496-4434-b37c-597ffd7861b0} - C:\WINDOWS\Installer\{0170a502-0496-4434-b37c-597ffd7861b0}\KbdWin.dll
O21 - SSODL: KernelRunOnce - {22f0c2f2-98ee-4aa0-8025-28d846697ff1} - C:\WINDOWS\Installer\{22f0c2f2-98ee-4aa0-8025-28d846697ff1}\KernelRunOnce.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9143 bytes
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\Installer\{22f0c2f2-98ee-4aa0-8025-28d846697ff1}\KernelRunOnce.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\Installer\{22f0c2f2-98ee-4aa0-8025-28d846697ff1}\KernelRunOnce.dll

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\All Users\Application Data\zuhwpgtc.dll
C:\WINDOWS\system32\wowfx.dll
C:\Program Files\tmp273437.exe
C:\WINDOWS\system32\jqhsfql.bmp
C:\WINDOWS\system32\hgfqdkjehknmh.bmp
C:\WINDOWS\system32\hgnqtojap.bmp
C:\WINDOWS\system32\nqtsjep.bmp
C:\WINDOWS\system32\jqlorel.bmp
C:\WINDOWS\system32\kbehofqh.bmp
C:\WINDOWS\system32\fmtknap.bmp
C:\WINDOWS\system32\hsfmp.bmp
C:\WINDOWS\system32\ipgrqpgjmh.bmp
C:\WINDOWS\system32\knelkralgrqpcf.bmp
C:\WINDOWS\system32\hcjelsrelsnap.bmp
C:\Documents and Settings\Owner\Application Data\sysdefender.exe
C:\WINDOWS\system32\cnitgbalcrepor.bmp
C:\WINDOWS\system32\netobipgb.bmp
C:\WINDOWS\system32\wowfx.baddll
C:\Program Files\udefender_setup.exe
C:\WINDOWS\system32\actxprx.dll
C:\WINDOWS\Installer\{9e4ed985-b39b-4c8e-a95e-a0341a65f6f7}\SetupPrx.dll
C:\WINDOWS\Installer\{f56290be-a5c7-4a9a-84a1-7cd2196a3449}\zip.dll
C:\WINDOWS\Installer\{0170a502-0496-4434-b37c-597ffd7861b0}\KbdWin.dll
C:\WINDOWS\Installer\{22f0c2f2-98ee-4aa0-8025-28d846697ff1}\KernelRunOnce.dll

Folder::
C:\Program Files\rtczxswm


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
  • 0

#8
Larrytom2

Larrytom2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Rorschach112,

I wanted to let you know I was still having major problems after your last suggestion. After 3 days of fighting with this I decided to copy off all the data to an external drive. I am going to reinstall windows and restore the data. If I am having problems at that point I will create a new posting with the hijack log. I wanted to thank you for your time and effort.

Larry
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No problem

Let me know if you want some security tips to prevent this happening again
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP