Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

REd circle white X (same exact problem as Mully) [RESOLVED]

Started by ndfan53 , Feb 23 2008 05:35 PM

  • This topic is locked This topic is locked

#1
ndfan53
Posted 23 February 2008 - 05:35 PM

ndfan53

    Member

  • Member
  • PipPip
  • 13 posts
I have having the exact same problem as mully215. I tried to go through and do what someone told him but it still has not worked.
Rating: 0
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts

post Feb 20 2008, 03:35 AM
Post #1


New Member
*

Group: Member
Posts: 3
Joined: 20-February 08
Member No.: 239,739
Operating System:
xp
[United_States]



I have been researching the problem with this malware and have tried a few different approaches. The problem I am stuck with now is that I am trying to install hijackthis and it wont let me open or execute the file. I am just guessing that is because of the malware. I am just not sure on where to go from here.

It is just the red circle with white X in my toolbar and says that my computer is infected.

I have Windows Xp sp2

My log from the Silent runners program is this.
Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BackupNotify" = "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [file not found]
"Weather" = "C:\Program Files\AWS\WeatherBug\Weather.exe 1" ["AWS Convergence Technologies, Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8" [file not found]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" ["Simple Star, Inc."]
"Aim6" = ""C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" ["AOL LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Salestart" = ""C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com" [null data]
"braviax" = "braviax.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{393C2547-B2AB-422C-87AF-385238C73416}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\iifcyyv.dll" [null data]
{A95B2816-1D7E-4561-A202-68C0DE02353A}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\petxxzdo.dll" [null data]
{DE0BD930-0D27-43B6-87BB-E215428D8B74}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\awvvw.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{393C2547-B2AB-422C-87AF-385238C73416}" = "*a" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\iifcyyv.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "cru629.dat" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> addisk\DLLName = "C:\WINDOWS\inf\addisk.dll" [file not found]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> iifcyyv\DLLName = "iifcyyv.dll" [null data]
<<!>> petxxzdo\DLLName = "petxxzdo.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"SpecifyDefaultButtons" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Btn_Search" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbar buttons}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShareWallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\All Languages\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Danish\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Dutch\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\English\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\English International\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Finish\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\German\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Italian\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Norwegian\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\OEM Option 1\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Portuguese\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Spanish\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Swedish\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\Turkish\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\TOOLS\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]

D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"DING!" -> shortcut to: "C:\Program Files\Southwest Airlines\Ding\Ding.exe" ["Southwest Airlines"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -hx" [null data]


Enabled Scheduled Tasks:
------------------------

"AC48126991878511" -> launches: "c:\progra~1\stupid~1\axis mapi play.exe" [file not found]
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"SpyWareKiller" -> launches: "C:\Program Files\Anonymizer\sk\SpyWareKiller.exe SCHED" [file not found]
"XoftSpySE 2" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" [file not found]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 53
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}"
-> {HKLM...CLSID} = "AIM Search"
\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp view"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{F47C1DB5-ED21-4DC1-853E-D1495792D4C5}\
"ButtonText" = "Bodog Poker"
"Exec" = "C:\Program Files\Bodog Poker\BPGame.exe" [file not found]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
perfmons Service, perfmons, "C:\WINDOWS\system32\perfs.exe" [empty string]
Routing Service, Routing, "C:\WINDOWS\system32\routing.exe" [empty string]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-02-23 17:21:00)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 140 seconds.
---------- (total run time: 204 seconds)

Edited by ndfan53, 23 February 2008 - 06:00 PM.

  • 0

Advertisements

#2
kahdah
Posted 24 February 2008 - 09:12 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ndfan53

Welcome to G2Go. :)
==================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

(If it will not run then rename dss.exe to Kahdah.exe then it will run)
  • 0

#3
ndfan53
Posted 24 February 2008 - 12:20 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you so much for replying. I did have to change the file name to kahdah.exe Here is the main and extra notepad text. Again I thank you for your help.


Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-24 12:09:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2008-02-24 18:09:33 UTC - RP1361 - Deckard's System Scanner Restore Point
89: 2008-02-24 03:10:39 UTC - RP1360 - System Checkpoint
88: 2008-02-23 03:06:17 UTC - RP1359 - Software Distribution Service 3.0
87: 2008-02-23 01:04:47 UTC - RP1358 - Software Distribution Service 3.0
86: 2008-02-22 22:42:21 UTC - RP1357 - Restore Operation


-- First Restore Point --
1: 2007-11-27 03:12:22 UTC - RP1272 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-24 12:14:26
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\StorageProtector\strpmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\kahdah.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {393C2547-B2AB-422C-87AF-385238C73416} - C:\WINDOWS\system32\iifcyyv.dll
O2 - BHO: (no name) - {8E05A1B5-3A51-4F02-ABFF-4FAF65FB0D5B} - C:\WINDOWS\system32\awvvw.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\petxxzdo.dll
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\xrafhbrg.dll",b
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134326940812
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: addisk - C:\WINDOWS\inf\addisk.dll (file missing)
O20 - Winlogon Notify: iifcyyv - C:\WINDOWS\system32\iifcyyv.dll
O20 - Winlogon Notify: petxxzdo - C:\WINDOWS\system32\petxxzdo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 7813 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ905>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 SYMIDSCO - c:\windows\system32\drivers\symidsco.sys (file missing)
S3 USBCM (Netgear CG814 USB Cable Modem NDIS Driver) - c:\windows\system32\drivers\639428.sys <Not Verified; ; USB Cable Modem Driver 1.9>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 perfmons (perfmons Service) - c:\windows\system32\perfs.exe
R2 Routing (Routing Service) - c:\windows\system32\routing.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-24 12:07:50 448 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-02-24 12:00:00 234 --ah----- C:\WINDOWS\Tasks\AC48126991878511.job
2008-02-24 02:00:00 326 --a------ C:\WINDOWS\Tasks\SpyWareKiller.job
2008-02-23 15:17:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-23 07:35:34 362 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2004-02-18 11:31:21 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-01-24 and 2008-02-24 -----------------------------

2008-02-24 07:21:40 90176 --a------ C:\WINDOWS\system32\splsxwwb.dll
2008-02-24 07:18:45 86592 --a------ C:\WINDOWS\system32\xrafhbrg.dll
2008-02-23 17:32:02 6144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-23 17:32:02 13312 --a------ C:\WINDOWS\system32\braviax.exe
2008-02-23 17:32:02 6144 --a------ C:\WINDOWS\cru629.dat
2008-02-23 14:14:26 0 d-------- C:\Program Files\Trend Micro
2008-02-23 11:05:15 0 dr------- C:\Documents and Settings\All Users\Application Data\storageprotector
2008-02-23 11:05:06 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-23 11:05:03 0 d-------- C:\Program Files\Common Files\StorageProtector
2008-02-23 07:16:34 163904 --a------ C:\WINDOWS\system32\petxxzdo.dll
2008-02-22 19:28:27 13312 --a------ C:\WINDOWS\braviax.exe
2008-02-22 18:08:13 32256 --a------ C:\WINDOWS\system32\routing.exe
2008-02-22 18:07:31 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-22 18:07:30 45056 --a------ C:\WINDOWS\system32\Indt2.sys <Not Verified; b; >
2008-02-22 18:07:28 265728 --a------ C:\WINDOWS\system32\andt.sys
2008-02-22 18:04:47 186880 --a------ C:\WINDOWS\system32\perfs.exe
2008-02-22 16:03:03 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-22 16:02:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-02-22 15:56:58 12473 --a------ C:\Program Files\Common Files\zofepog.pif
2008-02-22 15:56:58 16733 --a------ C:\Documents and Settings\All Users\Application Data\akiwifapy.vbs
2008-02-22 15:56:57 18362 --a------ C:\WINDOWS\unuhe.pif
2008-02-22 15:56:57 14751 --a------ C:\WINDOWS\system32\ijocihyzu.pif
2008-02-22 15:56:57 10188 --a------ C:\WINDOWS\nomowawet.scr
2008-02-22 15:56:57 17063 --a------ C:\WINDOWS\azugi.com
2008-02-22 15:56:57 19158 --a------ C:\Program Files\Common Files\wepevalupa.reg
2008-02-22 15:56:57 18444 --a------ C:\Program Files\Common Files\udyw.dat
2008-02-22 15:56:57 13782 --a------ C:\Program Files\Common Files\iwexyhybak.reg
2008-02-22 15:56:57 16650 --a------ C:\Documents and Settings\Owner\Application Data\nabijezaja.pif
2008-02-22 15:56:57 19763 --a------ C:\Documents and Settings\All Users\Application Data\gyjucano.com
2008-02-22 14:43:16 0 d-------- C:\Program Files\Enigma Software Group
2008-02-22 14:26:14 243323 --ahs---- C:\WINDOWS\system32\wvvwa.ini2
2008-02-22 14:26:08 292352 --a------ C:\WINDOWS\system32\awvvw.dll
2008-02-22 14:23:30 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-02-22 14:21:35 6656 --a------ C:\WINDOWS\system32\users32.dat
2008-02-22 14:21:32 308712 --a------ C:\WINDOWS\system32\winistr.exe
2008-02-22 14:19:24 273410 --a------ C:\Q160099062.exe
2008-02-22 14:19:18 3584 --a------ C:\qrwkjyd.exe
2008-02-22 14:19:16 33115 --a------ C:\qsdjpwpb.exe
2008-02-22 14:19:15 58368 --a------ C:\wpohl.exe
2008-02-22 14:19:15 50176 --a------ C:\arbfikac.exe
2008-02-22 14:19:09 36864 --a------ C:\WINDOWS\mrofinu1535.exe
2008-02-22 14:19:09 36864 --a------ C:\WINDOWS\17PHolmes1535.exe
2008-02-22 14:18:50 41984 --a------ C:\WINDOWS\system32\iifcyyv.dll
2008-02-17 09:56:37 0 d-------- C:\Documents and Settings\Owner\temp
2008-02-17 09:56:18 0 d--h----- C:\Documents and Settings\Owner\QMCache00
2008-02-17 09:56:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2008-01-24 16:39:53 0 d-------- C:\Program Files\iTunes
2008-01-24 16:39:14 0 d-------- C:\Program Files\Bonjour
2008-01-24 16:37:14 0 d-------- C:\Program Files\Apple Software Update
2008-01-24 16:36:52 0 d-------- C:\Program Files\Common Files\Apple
2008-01-24 16:36:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-02-23 11:05:03 0 d-------- C:\Program Files\Common Files
2008-02-23 08:07:22 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-02-22 21:04:57 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-22 17:53:46 0 d-------- C:\Program Files\uTorrent
2008-02-22 16:40:17 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-22 15:56:57 12987 --a------ C:\Documents and Settings\Owner\Application Data\alym.dl
2008-02-22 14:51:54 0 d-------- C:\Program Files\Yahoo!
2008-02-22 05:51:55 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-24 16:40:10 0 d-------- C:\Program Files\iPod
2008-01-24 16:38:46 0 d-------- C:\Program Files\QuickTime
2008-01-20 18:59:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-20 15:41:58 0 d-------- C:\Documents and Settings\Owner\Application Data\TomTom
2008-01-20 15:41:47 0 d-------- C:\Program Files\TomTom HOME


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{393C2547-B2AB-422C-87AF-385238C73416}]
02/22/2008 02:18 PM 41984 --a------ C:\WINDOWS\system32\iifcyyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E05A1B5-3A51-4F02-ABFF-4FAF65FB0D5B}]
02/22/2008 02:26 PM 292352 --a------ C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
02/23/2008 07:16 AM 163904 --a------ C:\WINDOWS\system32\petxxzdo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"="C:\Program Files\Common Files\StorageProtector\strpmon.exe" [12/04/2007 02:49 PM]
"20ddfb3d"="C:\WINDOWS\system32\xrafhbrg.dll" [02/24/2008 07:18 AM]
"braviax"="braviax.exe" [02/23/2008 05:32 PM C:\WINDOWS\system32\braviax.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [01/06/2006 09:57 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [05/09/2005 05:16 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 09:20 AM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [6/22/2006 1:15:48 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [7/22/2005 3:47:22 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{393C2547-B2AB-422C-87AF-385238C73416}"= C:\WINDOWS\system32\iifcyyv.dll [02/22/2008 02:18 PM 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\addisk]
C:\WINDOWS\inf\addisk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcyyv]
iifcyyv.dll 02/22/2008 02:18 PM 41984 C:\WINDOWS\system32\iifcyyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\petxxzdo]
petxxzdo.dll 02/23/2008 07:16 AM 163904 C:\WINDOWS\system32\petxxzdo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 3.8.5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 3.8.5.lnk
backup=C:\WINDOWS\pss\LimeWire 3.8.5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Organize.lnk
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]
C:\WINDOWS\alchem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Breg]
"C:\Program Files\Common Files\Java\breg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTV]
C:\Program Files\BTV\btv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperBrwsr]
C:\WINDOWS\dhbrwsr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jreg]
"C:\Program Files\Common Files\Java\Jreg2b.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Less Fork Up 16]
C:\Documents and Settings\All Users\Application Data\Soap axis less fork\EachMags.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
C:\Program Files\LimeShop\LimeShoprun.exe /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Love Mess]
C:\PROGRA~1\stupid frag\Plan Aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\windows\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp]
C:\Program Files\OfferApp\OfferApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdliokoipbumg]
C:\WINDOWS\System32\hueeqq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVANAL]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVMGR]
C:\Program Files\Anonymizer\Privacy Manager\privmgr.exe /min /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPYKILLER]
C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINDOWS\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windriv]
C:\WINDOWS\System32\windriv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winspool]
C:\WINDOWS\System32\spoolsvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\Program Files\Common Files\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wzkrwv]
C:\WINDOWS\wzkrwv.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-02-24 12:16:13 ------------


Extra


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 503.29 MiB / 272.64 MiB
Pagefile Memory (total/avail): 1230.62 MiB / 954.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.11 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 143.53 GiB total, 62.91 GiB free.
D: is Fixed (FAT32) - 5.5 GiB total, 0.94 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 5.52 GiB - D:
\PARTITION1 (bootable) - Installable File System - 143.53 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OTTFAMILY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OTTFAMILY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OTTFAMILY
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIM Toolbar --> C:\Program Files\AIM Toolbar\uninstall.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Azureus --> C:\Program Files\Azureus\Uninstall.exe
BetUS Poker --> C:\Program Files\BetUSPoker\uninstall.exe
Blues Clues School --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{242D10CF-8093-11D7-AD8E-0050DA87D0EB}\SETUP.EXE" -l0x9
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Bounce Symphony from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe"
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast PhotoShow Deluxe 4 --> "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\Uninstall.exe"
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
DING! --> MsiExec.exe /X{84031A18-BA9A-4156-A74F-E05B52DDFCE2}
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Platinum 3.0.9.8 Ghosthunter release --> "C:\Program Files\DVDFab Platinum 3\unins000.exe"
EA SPORTS online 2004 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
ESPN Toolbar --> C:\PROGRA~1\ESPN\Toolbar\UNWISE.EXE /u C:\PROGRA~1\ESPN\Toolbar\INSTALL.LOG
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
First Step Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C797EAF2-707A-4239-BDF3-F2672314A734}\setup.exe" -l0x9 UNINSTALL
Frogger v1.0 --> C:\WINDOWS\SCEEunin.exe C:\WINDOWS\Froggersetup.ini
FTapp (remove only) --> "c:\Program Files\Xmod\uninst.exe"
Game Elements PC Recoil Pad --> C:\PROGRA~1\GAMEEL~1\UNWISE.EXE C:\PROGRA~1\GAMEEL~1\INSTALL.LOG
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{CC0A24CB-87C9-4F1C-A1F2-F87D8D4DDCAF}
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140011_1cf8f\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lexmark X5100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBAUN5C.EXE -dLexmark X5100 Series
LimeWire --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA49DF26-5FA8-4200-9821-B747BAC516AE}
LimeWire 4.9.37 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Madagascar --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{0FB261F3-6F16-43FD-A404-F377C169B937}
Media Studio for iPod® and iPhone® 3.5 --> C:\PROGRA~1\Makayama.com\MEDIAS~1\Setup.exe /remove /q0
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Morris --> C:\PROGRA~1\eGames\Morris\UNWISE.EXE C:\PROGRA~1\eGames\Morris\INSTALL.LOG
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{145CACAF-9B34-41FC-BE49-7D510A253E78}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nine Men's Morris --> C:\PROGRA~1\eGames\NINEME~1\UNWISE.EXE C:\PROGRA~1\eGames\NINEME~1\INSTALL.LOG
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
OfferApp --> "C:\Program Files\Common Files\OfferApp\OfferApp.exe" /u
Orbital from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe"
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Otto from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe"
Overball from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe"
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Slyder from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
toolkit --> c:\Windows\HPTK\unhptkit.exe
TurboTax Deluxe 2004 --> C:\Program Files\TurboTax\Deluxe 2004\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2004\Uninstall.log" -NoGui
TurboTax Deluxe 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TVUPlayer 2.2.1.30 Beta --> C:\Program Files\TVUPlayer\uninst.exe
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
WeatherBug Browser Bar - powered by MyWebSearch --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\w6Bar.dll,O
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
WildTangent Multiplayer Library --> C:\WINDOWS\wt\updater\wcmdmgr.exe -uninstall wtdmmp
WildTangent Updater --> C:\WINDOWS\wt\updater\wcmdmgr.exe -uninstall wcmdmgr.exe
WildTangent Web Driver --> C:\WINDOWS\wt\updater\wcmdmgr.exe -uninstall wtwebdriver
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S


-- Application Event Log -------------------------------------------------------

Event Record #/Type16417 / Error
Event Submitted/Written: 02/23/2008 06:50:43 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application andt.sys, version 2.0.1.101, faulting module rtl60.bpl, version 6.0.6.240, fault address 0x0000226b.
Processing media-specific event for [andt.sys!ws!]

Event Record #/Type16416 / Error
Event Submitted/Written: 02/23/2008 06:46:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application andt.sys, version 2.0.1.101, faulting module rtl60.bpl, version 6.0.6.240, fault address 0x000024d0.
Processing media-specific event for [andt.sys!ws!]

Event Record #/Type16369 / Error
Event Submitted/Written: 02/23/2008 07:47:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module user32.dll, version 5.1.2600.3099, fault address 0x00019a3e.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type16356 / Error
Event Submitted/Written: 02/23/2008 07:15:32 AM / 02/23/2008 07:15:33 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application services.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Error in creating result PEAP-TLV in response to received PEAP-TLV (services.exe!ld!)

Event Record #/Type16346 / Error
Event Submitted/Written: 02/22/2008 09:23:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type53068 / Warning
Event Submitted/Written: 02/24/2008 00:09:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type53050 / Error
Event Submitted/Written: 02/24/2008 00:08:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The nVidia WDM A/V Crossbar service failed to start due to the following error:
%%1058

Event Record #/Type53049 / Error
Event Submitted/Written: 02/24/2008 00:08:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The nVidia WDM Video Capture (universal)
  • 0

#4
kahdah
Posted 24 February 2008 - 12:59 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You have a very badly infected machine.
You have a few rootkits and a few backdoors as well as some other multiple spyware applications.
I suggest that from a non infected machine that you change any banking passwords or online financial tranfers that have passwords.
Do not use this computer for any kind of financial transactions.
Please follow all of these steps in order to ensure that everything goes right.
This mess will be cleaned up. :)
=====================================
First:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum.
=================================================================
Then:

It is important that you paste the filepaths below under the Yellow bar or it will not work correctly

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\iifcyyv.dll
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\petxxzdo.dll
C:\Program Files\Common Files\StorageProtector
C:\WINDOWS\system32\xrafhbrg.dll
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
c:\program files\viewpoint
C:\WINDOWS\Tasks\AC48126991878511.job
C:\WINDOWS\system32\splsxwwb.dll
C:\WINDOWS\system32\xrafhbrg.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\cru629.dat
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\Common Files\StorageProtector
C:\WINDOWS\system32\petxxzdo.dll
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys 
C:\WINDOWS\system32\andt.sys
C:\Program Files\Common Files\zofepog.pif
C:\Documents and Settings\All Users\Application Data\akiwifapy.vbs
C:\WINDOWS\unuhe.pif
C:\WINDOWS\system32\ijocihyzu.pif
C:\WINDOWS\nomowawet.scr
C:\WINDOWS\azugi.com
C:\Program Files\Common Files\wepevalupa.reg
C:\Program Files\Common Files\udyw.dat
C:\Program Files\Common Files\iwexyhybak.reg
C:\Documents and Settings\Owner\Application Data\nabijezaja.pif
C:\Documents and Settings\All Users\Application Data\gyjucano.com
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winistr.exe
C:\Q160099062.exe
C:\qrwkjyd.exe
C:\qsdjpwpb.exe
C:\wpohl.exe
C:\arbfikac.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\17PHolmes1535.exe
C:\WINDOWS\system32\iifcyyv.dll
C:\Documents and Settings\Owner\Application Data\alym.dl
C:\WINDOWS\inf\addisk.dll 
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\alchem.exe
C:\Program Files\Common Files\Java\breg.exe
C:\Program Files\BTV
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\DHUpdt.exe
C:\Program Files\DIGStream\digstream.exe
C:\Documents and Settings\All Users\Application Data\Soap axis less fork
C:\PROGRA~1\stupid frag
c:\windows\msbb.exe
C:\Program Files\OfferApp
C:\WINDOWS\System32\hueeqq.exe
C:\Program Files\Common files\updater
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\windriv.exe
C:\WINDOWS\System32\spoolsvr.exe
C:\Program Files\Common Files\WinTools
C:\WINDOWS\wzkrwv.exe
D:\Info.exe 
HKLM\software\microsoft\shared tools\msconfig\startupreg\windriv
HKLM\software\microsoft\shared tools\msconfig\startupreg\Winspool
HKLM\software\microsoft\shared tools\msconfig\startupreg\WinTools
HKLM\software\microsoft\shared tools\msconfig\startupreg\wzkrwv
HKLM\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt
HKLM\software\microsoft\shared tools\msconfig\startupreg\updater
HKLM\software\microsoft\shared tools\msconfig\startupreg\pdliokoipbumg
HKLM\software\microsoft\shared tools\msconfig\startupreg\OfferApp
HKLM\software\microsoft\shared tools\msconfig\startupreg\msbb
HKLM\software\microsoft\shared tools\msconfig\startupreg\Love Mess
HKLM\software\microsoft\shared tools\msconfig\startupreg\Jreg
HKLM\software\microsoft\shared tools\msconfig\startupreg\Less Fork Up 16
HKLM\software\microsoft\shared tools\msconfig\startupreg\DIGStream
HKLM\software\microsoft\shared tools\msconfig\startupreg\DealHelperBrwsr
HKLM\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate
HKLM\software\microsoft\shared tools\msconfig\startupreg\alchem
HKLM\software\microsoft\shared tools\msconfig\startupreg\Breg
HKLM\software\microsoft\shared tools\msconfig\startupreg\BTV
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\addisk
HKLM\CurrentControlSet\Services\Routing
HKLM\CurrentControlSet\Services\perfmons
HKLM\CurrentControlSet\Services\perfmons Service
HKLM\CurrentControlSet\Services\Routing Service
HKLM\CurrentControlSet\Services\Viewpoint Manager Service
HKLM\CurrentControlSet\Services\Indt2.sys
HKLM\CurrentControlSet\Services\Indt2
HKLM\CurrentControlSet\Services\andt
HKLM\CurrentControlSet\Services\andt.sys


  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If oTMove it locks up please continue on with the next steps
=======================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
===================
After that
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
=========================================================
Post these logs:
OTMove it2 log
SDFix log
Mbam log
COmbofix log


Please make multiple posts to fit them all in.
I will need to see all of them
  • 0

#5
ndfan53
Posted 24 February 2008 - 03:03 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Sorry took so long. SD program ran a very long time. lol HEre is the SD fix log. I will post the Moveit one here shortly after I run it.SDFix: Version 1.146

Run by Owner on Sun 02/24/2008 at 02:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
tunnet

Path:
\??\C:\WINDOWS\system\tunnet.ocx

tunnet - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 31232 02/22/2008 02:19 PM
"C:\WINDOWS\system32\drivers\beep.sys" 31232 02/22/2008 02:19 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 02/23/2008 11:01 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 02/23/2008 11:01 PM



Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\POSDF8.TMP - Deleted
C:\WINDOWS\17PHolmes1535.exe - Deleted
C:\WINDOWS\mrofinu1535.exe - Deleted
C:\Program Files\Internet Explorer\svchost.exe - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted
C:\WINDOWS\system32\patch.exe - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\winistr.exe - Deleted
C:\WINDOWS\system\tunnet.ocx - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 14:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1144950616\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 18 Feb 2004 196 A.SHR --- "C:\BOOT.BAK"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 11 Oct 2005 345,806 ..SH. --- "C:\WINDOWS\inf\ksidda.bak1"
Sat 10 Dec 2005 516,552 ..SH. --- "C:\WINDOWS\inf\ksidda.bak2"
Sun 24 Feb 2008 30,632 ..SH. --- "C:\WINDOWS\system32\petxxzdo.dllbox"
Fri 19 Mar 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 26 Nov 2007 376 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiC.tmp"
Fri 12 Jan 2007 72,704 ..SHR --- "C:\Program Files\Makayama.com\Media Studio for iPodr and iPhoner\Setup.exe"
Tue 19 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 12 Apr 2005 95,892 ...H. --- "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Comcast PhotoShow Deluxe.exe"
Fri 22 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITA.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT7.tmp"
Fri 22 Feb 2008 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\hqi9cura.TMP"
Fri 19 Mar 2004 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Mon 7 Aug 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 6 Aug 2006 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!
  • 0

#6
kahdah
Posted 24 February 2008 - 03:20 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ok please continue :)

Edited by kahdah, 24 February 2008 - 03:20 PM.

  • 0

#7
ndfan53
Posted 24 February 2008 - 03:23 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the OT move it log. I am getting a few alerts that pop up onstartup saying about not running run.dll and also there is a big red x for a font beside the C drive in My Computer file. I will move on with the list of things you gave me to do. Thanks again for all your help
[Custom Input]
< C:\WINDOWS\system32\iifcyyv.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifcyyv.dll
C:\WINDOWS\system32\iifcyyv.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iifcyyv.dll scheduled to be moved on reboot.
< C:\WINDOWS\system32\awvvw.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\awvvw.dll scheduled to be moved on reboot.
< C:\WINDOWS\system32\petxxzdo.dll >
C:\WINDOWS\system32\petxxzdo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\petxxzdo.dll scheduled to be moved on reboot.
< C:\Program Files\Common Files\StorageProtector >
C:\Program Files\Common Files\StorageProtector moved successfully.
< C:\WINDOWS\system32\xrafhbrg.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xrafhbrg.dll
C:\WINDOWS\system32\xrafhbrg.dll NOT unregistered.
C:\WINDOWS\system32\xrafhbrg.dll moved successfully.
< C:\WINDOWS\system32\perfs.exe >
C:\WINDOWS\system32\perfs.exe moved successfully.
< C:\WINDOWS\system32\routing.exe >
C:\WINDOWS\system32\routing.exe moved successfully.
< c:\program files\viewpoint >
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win moved successfully.
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
c:\program files\Viewpoint\Viewpoint Media Player\Components moved successfully.
c:\program files\Viewpoint\Viewpoint Media Player moved successfully.
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images moved successfully.
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData moved successfully.
c:\program files\Viewpoint\Viewpoint Manager\NotifyData moved successfully.
c:\program files\Viewpoint\Viewpoint Manager moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\UserShell moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents\AxMetaStream_Win moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology\Components moved successfully.
c:\program files\Viewpoint\Viewpoint Experience Technology moved successfully.
c:\program files\Viewpoint\Common moved successfully.
c:\program files\Viewpoint moved successfully.
< C:\WINDOWS\Tasks\AC48126991878511.job >
C:\WINDOWS\Tasks\AC48126991878511.job moved successfully.
< C:\WINDOWS\system32\splsxwwb.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\splsxwwb.dll
C:\WINDOWS\system32\splsxwwb.dll NOT unregistered.
C:\WINDOWS\system32\splsxwwb.dll moved successfully.
< C:\WINDOWS\system32\xrafhbrg.dll >
File/Folder C:\WINDOWS\system32\xrafhbrg.dll not found.
< C:\WINDOWS\system32\cru629.dat >
File/Folder C:\WINDOWS\system32\cru629.dat not found.
< C:\WINDOWS\system32\braviax.exe >
File/Folder C:\WINDOWS\system32\braviax.exe not found.
< C:\WINDOWS\cru629.dat >
File/Folder C:\WINDOWS\cru629.dat not found.
< C:\Documents and Settings\All Users\Application Data\storageprotector >
C:\Documents and Settings\All Users\Application Data\storageprotector\Data moved successfully.
C:\Documents and Settings\All Users\Application Data\storageprotector moved successfully.
< C:\Documents and Settings\All Users\Application Data\SalesMon >
File/Folder C:\Documents and Settings\All Users\Application Data\SalesMon not found.
< C:\Program Files\Common Files\StorageProtector >
File/Folder C:\Program Files\Common Files\StorageProtector not found.
< C:\WINDOWS\system32\petxxzdo.dll >
C:\WINDOWS\system32\petxxzdo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\petxxzdo.dll scheduled to be moved on reboot.
< C:\WINDOWS\braviax.exe >
File/Folder C:\WINDOWS\braviax.exe not found.
< C:\WINDOWS\system32\drmgs.sys >
C:\WINDOWS\system32\drmgs.sys moved successfully.
< C:\WINDOWS\system32\Indt2.sys >
C:\WINDOWS\system32\Indt2.sys moved successfully.
< C:\WINDOWS\system32\andt.sys >
C:\WINDOWS\system32\andt.sys moved successfully.
< C:\Program Files\Common Files\zofepog.pif >
C:\Program Files\Common Files\zofepog.pif moved successfully.
< C:\Documents and Settings\All Users\Application Data\akiwifapy.vbs >
C:\Documents and Settings\All Users\Application Data\akiwifapy.vbs moved successfully.
< C:\WINDOWS\unuhe.pif >
C:\WINDOWS\unuhe.pif moved successfully.
< C:\WINDOWS\system32\ijocihyzu.pif >
C:\WINDOWS\system32\ijocihyzu.pif moved successfully.
< C:\WINDOWS\nomowawet.scr >
C:\WINDOWS\nomowawet.scr moved successfully.
< C:\WINDOWS\azugi.com >
C:\WINDOWS\azugi.com moved successfully.
< C:\Program Files\Common Files\wepevalupa.reg >
C:\Program Files\Common Files\wepevalupa.reg moved successfully.
< C:\Program Files\Common Files\udyw.dat >
C:\Program Files\Common Files\udyw.dat moved successfully.
< C:\Program Files\Common Files\iwexyhybak.reg >
C:\Program Files\Common Files\iwexyhybak.reg moved successfully.
< C:\Documents and Settings\Owner\Application Data\nabijezaja.pif >
C:\Documents and Settings\Owner\Application Data\nabijezaja.pif moved successfully.
< C:\Documents and Settings\All Users\Application Data\gyjucano.com >
C:\Documents and Settings\All Users\Application Data\gyjucano.com moved successfully.
< C:\WINDOWS\system32\wvvwa.ini2 >
C:\WINDOWS\system32\wvvwa.ini2 moved successfully.
< C:\WINDOWS\system32\awvvw.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\awvvw.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\awvvw.dll scheduled to be moved on reboot.
< C:\WINDOWS\system32\users32.dat >
File/Folder C:\WINDOWS\system32\users32.dat not found.
< C:\WINDOWS\system32\winistr.exe >
File/Folder C:\WINDOWS\system32\winistr.exe not found.
< C:\Q160099062.exe >
C:\Q160099062.exe moved successfully.
< C:\qrwkjyd.exe >
C:\qrwkjyd.exe moved successfully.
< C:\qsdjpwpb.exe >
C:\qsdjpwpb.exe moved successfully.
< C:\wpohl.exe >
C:\wpohl.exe moved successfully.
< C:\arbfikac.exe >
C:\arbfikac.exe moved successfully.
< C:\WINDOWS\mrofinu1535.exe >
File/Folder C:\WINDOWS\mrofinu1535.exe not found.
< C:\WINDOWS\17PHolmes1535.exe >
File/Folder C:\WINDOWS\17PHolmes1535.exe not found.
< C:\WINDOWS\system32\iifcyyv.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifcyyv.dll
C:\WINDOWS\system32\iifcyyv.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\iifcyyv.dll scheduled to be moved on reboot.
< C:\Documents and Settings\Owner\Application Data\alym.dl >
C:\Documents and Settings\Owner\Application Data\alym.dl moved successfully.
< C:\WINDOWS\inf\addisk.dll >
File/Folder C:\WINDOWS\inf\addisk.dll not found.
< C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe >
File/Folder C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe not found.
< C:\WINDOWS\alchem.exe >
File/Folder C:\WINDOWS\alchem.exe not found.
< C:\Program Files\Common Files\Java\breg.exe >
File/Folder C:\Program Files\Common Files\Java\breg.exe not found.
< C:\Program Files\BTV >
File/Folder C:\Program Files\BTV not found.
< C:\WINDOWS\dhbrwsr.exe >
File/Folder C:\WINDOWS\dhbrwsr.exe not found.
< C:\WINDOWS\DHUpdt.exe >
File/Folder C:\WINDOWS\DHUpdt.exe not found.
< C:\Program Files\DIGStream\digstream.exe >
C:\Program Files\DIGStream\digstream.exe moved successfully.
< C:\Documents and Settings\All Users\Application Data\Soap axis less fork >
File/Folder C:\Documents and Settings\All Users\Application Data\Soap axis less fork not found.
< C:\PROGRA~1\stupid frag >
File/Folder C:\PROGRA~1\stupid frag not found.
< c:\windows\msbb.exe >
File/Folder c:\windows\msbb.exe not found.
< C:\Program Files\OfferApp >
C:\Program Files\OfferApp\FLEOK moved successfully.
C:\Program Files\OfferApp moved successfully.
< C:\WINDOWS\System32\hueeqq.exe >
File/Folder C:\WINDOWS\System32\hueeqq.exe not found.
< C:\Program Files\Common files\updater >
File/Folder C:\Program Files\Common files\updater not found.
< C:\WINDOWS\wupdt.exe >
File/Folder C:\WINDOWS\wupdt.exe not found.
< C:\WINDOWS\System32\windriv.exe >
File/Folder C:\WINDOWS\System32\windriv.exe not found.
< C:\WINDOWS\System32\spoolsvr.exe >
File/Folder C:\WINDOWS\System32\spoolsvr.exe not found.
< C:\Program Files\Common Files\WinTools >
File/Folder C:\Program Files\Common Files\WinTools not found.
< C:\WINDOWS\wzkrwv.exe >
File/Folder C:\WINDOWS\wzkrwv.exe not found.
< D:\Info.exe >
D:\Info.exe moved successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\windriv >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windriv\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Winspool >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winspool\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\WinTools >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\wzkrwv >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wzkrwv\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\updater >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\pdliokoipbumg >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdliokoipbumg\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\OfferApp >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\msbb >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Love Mess >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Love Mess\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Jreg >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jreg\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Less Fork Up 16 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Less Fork Up 16\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\DIGStream >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\DealHelperBrwsr >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperBrwsr\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\alchem >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\Breg >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Breg\\ deleted successfully.
< HKLM\software\microsoft\shared tools\msconfig\startupreg\BTV >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTV\\ deleted successfully.
< HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\addisk >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\addisk\\ deleted successfully.
< HKLM\CurrentControlSet\Services\Routing >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Routing\\ not found.
< HKLM\CurrentControlSet\Services\perfmons >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\perfmons\\ not found.
< HKLM\CurrentControlSet\Services\perfmons Service >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\perfmons Service\\ not found.
< HKLM\CurrentControlSet\Services\Routing Service >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Routing Service\\ not found.
< HKLM\CurrentControlSet\Services\Viewpoint Manager Service >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Viewpoint Manager Service\\ not found.
< HKLM\CurrentControlSet\Services\Indt2.sys >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Indt2.sys\\ not found.
< HKLM\CurrentControlSet\Services\Indt2 >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Indt2\\ not found.
< HKLM\CurrentControlSet\Services\andt >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\andt\\ not found.
< HKLM\CurrentControlSet\Services\andt.sys >
Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\andt.sys\\ not found.

OTMoveIt2 v1.0.20 log created on 02242008_150449
  • 0

#8
kahdah
Posted 24 February 2008 - 03:38 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes the file missings are good because that means that malware has been removed from it normal location.
The red X we will take care of in a bit. :)
Go ahead with Combofix please. :)
  • 0

#9
ndfan53
Posted 24 February 2008 - 04:16 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
HEre is the log from the malware scan. That took like an hour so again sorry for the delay. The only alert on restart I am getting now says error loading C:\windows\system32\xrafhbrg.dll

Malwarebytes' Anti-Malware 1.05
Database version: 402

Scan type: Full Scan (A:\|C:\|D:\|G:\|H:\|I:\|J:\|)
Objects scanned: 155253
Time elapsed: 41 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 29
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 104

Memory Processes Infected:
C:\WINDOWS\system32\windows (Trojan.Zapchast) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\iifcyyv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\awvvw.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\petxxzdo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{393c2547-b2ab-422c-87af-385238c73416} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{393c2547-b2ab-422c-87af-385238c73416} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifcyyv (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aca2920a-097d-4c51-9fd6-336254b25927} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aca2920a-097d-4c51-9fd6-336254b25927} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\petxxzdo (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSControlService (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{393c2547-b2ab-422c-87af-385238c73416} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awvvw.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awvvw.dll -> Delete on reboot.

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\iifcyyv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awvvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvvwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvvwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\petxxzdo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\petxxzdo.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\uninst.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\US2I7EFV\Installer[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1355\A0184296.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184358.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184359.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184365.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184372.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184384.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184385.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0184405.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0185358.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0185360.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186358.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186365.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186371.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186383.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186392.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186396.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1356\A0186404.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186408.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186414.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186437.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186522.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186523.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186524.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186531.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186585.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186592.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186595.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186601.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186614.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186622.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186678.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186688.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186695.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186698.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1357\A0186704.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0186878.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0186879.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0186893.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1358\A0187887.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0187913.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0189912.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0190914.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0190925.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0190930.dll (Rogue.WinReanimator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0190945.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0190953.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0191953.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0194960.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0194978.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0194980.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0195978.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0196978.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0196980.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0196981.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0196990.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0197012.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0199044.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0199045.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1359\A0201055.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1360\A0202056.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203056.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203058.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203059.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203063.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203065.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203066.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203070.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203079.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203080.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203081.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203083.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203086.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1361\A0203125.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\windows (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_172750\WINDOWS\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_172750\WINDOWS\system32\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02242008_150449\arbfikac.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02242008_150449\qrwkjyd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02242008_150449\qsdjpwpb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02242008_150449\Program Files\Common Files\StorageProtector\strpmon.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\celebs.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\gotb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\highlight.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\movies.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\music.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\news.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ngames.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\radio.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\sports.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#10
kahdah
Posted 24 February 2008 - 04:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok proceed with Combofix please.
  • 0

Advertisements

#11
ndfan53
Posted 24 February 2008 - 04:38 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the combo fix log. I do not have Hijack this anymore (at least I do not think I do) on my computer. Could you give me a link to get it because now I am leary about where I get stuff like that lol.
ComboFix 08-02-25 - Owner 2008-02-24 16:18:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvw.dll
C:\WINDOWS\system32\gakslulf.ini
C:\WINDOWS\system32\grbhfarx.ini
C:\WINDOWS\system32\iifcyyv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\petxxzdo.dll
C:\WINDOWS\system32\wvvwa.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 14:25 . 2008-02-24 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-24 14:19 . 2008-02-24 15:00 <DIR> d-------- C:\SDFix
2008-02-24 12:09 . 2008-02-24 12:09 <DIR> d-------- C:\Deckard
2008-02-23 17:27 . 2008-02-23 17:27 <DIR> d-------- C:\_OTMoveIt
2008-02-23 14:14 . 2008-02-23 14:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 07:53 . 2008-02-23 07:54 3,568,275 --a------ C:\EasyShare.dmp
2008-02-22 19:39 . 2008-02-22 19:39 1,180 --a------ C:\WINDOWS\system32\imbrmute.ini
2008-02-22 19:13 . 2008-02-22 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-22 15:56 . 2008-02-22 15:56 19,694 --a------ C:\WINDOWS\izofigas._dl
2008-02-22 15:56 . 2008-02-22 15:56 19,493 --a------ C:\WINDOWS\walex.inf
2008-02-22 15:56 . 2008-02-22 15:56 19,255 --a------ C:\WINDOWS\atarexywoq.lib
2008-02-22 15:56 . 2008-02-22 15:56 17,436 --a------ C:\WINDOWS\tajajatugo._dl
2008-02-22 15:56 . 2008-02-22 15:56 16,713 --a------ C:\WINDOWS\system32\umigonu.inf
2008-02-22 15:56 . 2008-02-22 15:56 16,549 --a------ C:\WINDOWS\yqaci._sy
2008-02-22 15:56 . 2008-02-22 15:56 13,319 --a------ C:\WINDOWS\system32\lyzys.ban
2008-02-22 15:56 . 2008-02-22 15:56 11,022 --a------ C:\WINDOWS\system32\qonunis.lib
2008-02-22 14:43 . 2008-02-23 14:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-22 14:23 . 2008-02-22 14:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-02-17 09:56 . 2008-02-17 11:40 <DIR> d-------- C:\Documents and Settings\Owner\temp
2008-02-17 09:56 . 2008-02-17 11:40 <DIR> d--h----- C:\Documents and Settings\Owner\QMCache00
2008-02-17 09:56 . 2008-02-17 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 21:04 --------- d-----w C:\Program Files\DIGStream
2008-02-24 05:01 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-02-23 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-02-23 14:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-02-23 03:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-23 00:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 23:53 --------- d-----w C:\Program Files\uTorrent
2008-02-22 22:40 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-22 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-02-22 20:51 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 11:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-24 22:40 --------- d-----w C:\Program Files\iTunes
2008-01-24 22:40 --------- d-----w C:\Program Files\iPod
2008-01-24 22:39 --------- d-----w C:\Program Files\Bonjour
2008-01-24 22:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-24 22:37 --------- d-----w C:\Program Files\Apple Software Update
2008-01-24 22:36 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-24 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-21 00:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 21:41 --------- d-----w C:\Program Files\TomTom HOME
2008-01-20 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\TomTom
2007-04-17 14:23 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-04-17 14:23 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-12-03 18:09 284 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2005-10-11 13:14 345,806 -csh--w C:\WINDOWS\inf\ksidda.bak1
2005-12-10 21:00 516,552 -csh--w C:\WINDOWS\inf\ksidda.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-01-06 09:57 1343488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 17:16 192512]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"20ddfb3d"="C:\WINDOWS\system32\xrafhbrg.dll" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 13:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 3.8.5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 3.8.5.lnk
backup=C:\WINDOWS\pss\LimeWire 3.8.5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Organize.lnk
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a--c--- 2003-06-18 20:19 53248 C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 14:55 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
--a--c--- 2003-03-04 06:49 86100 C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
C:\Program Files\LimeShop\LimeShoprun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 18:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-08-19 03:56 852038 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVANAL]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVMGR]
C:\Program Files\Anonymizer\Privacy Manager\privmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a--c--- 2002-10-16 17:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPYKILLER]
C:\Program Files\Anonymizer\sk\SpyWareKiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a--c--- 2003-08-14 20:11 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-19 23:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 09:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a--c--- 2004-03-12 14:53 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-01-06 09:57 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 03:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 03:15]
S2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe []
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 21:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 08:00:00 C:\WINDOWS\Tasks\SpyWareKiller.job"
- C:\Program Files\Anonymizer\sk\SpyWareKiller.exe
"2004-02-18 17:31:21 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-25 22:25:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-23 13:35:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 16:25:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-25 16:31:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 22:31:45
.
2008-02-23 03:07:18 --- E O F ---
  • 0

#12
ndfan53
Posted 24 February 2008 - 04:40 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Forget what I just said. I do have Hijack this and here is the log profile from notepad.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:00 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\xrafhbrg.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134326940812
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5240 bytes
  • 0

#13
ndfan53
Posted 24 February 2008 - 05:28 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I rebooted after I did everything and pasted the logs and the system seems to be running dramatically better. The only thing I still have is a pop up alert that comes on even before the desktop loads and says that some .dll can not load. It also has that fateful red circle and white X beside it in the box. Everything else though works great. Let me know what else I need to do.
  • 0

#14
kahdah
Posted 24 February 2008 - 05:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We still have a little left to go :)

These instructions should take care of those issues.
==================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\imbrmute.ini
C:\WINDOWS\izofigas._dl
C:\WINDOWS\walex.inf
C:\WINDOWS\atarexywoq.lib
C:\WINDOWS\tajajatugo._dl
C:\WINDOWS\system32\umigonu.inf
C:\WINDOWS\yqaci._sy
C:\WINDOWS\system32\lyzys.ban
C:\WINDOWS\system32\qonunis.lib
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\inf\ksidda.bak1
C:\WINDOWS\inf\ksidda.bak2
C:\WINDOWS\system32\xrafhbrg.dll
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\system32\perfs.exe 
C:\WINDOWS\system32\routing.exe 
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"20ddfb3d"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons] 
Driver::
perfmons
Routing
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#15
ndfan53
Posted 24 February 2008 - 05:52 PM

ndfan53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
HEre is the combo first followed by the Hijack this. If I have not told you yet you are the best lol.

ComboFix 08-02-25 - Owner 2008-02-25 17:41:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\WINDOWS\atarexywoq.lib
C:\WINDOWS\inf\ksidda.bak1
C:\WINDOWS\inf\ksidda.bak2
C:\WINDOWS\izofigas._dl
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\imbrmute.ini
C:\WINDOWS\system32\lyzys.ban
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\qonunis.lib
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\umigonu.inf
C:\WINDOWS\system32\xrafhbrg.dll
C:\WINDOWS\tajajatugo._dl
C:\WINDOWS\walex.inf
C:\WINDOWS\yqaci._sy
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\atarexywoq.lib
C:\WINDOWS\inf\ksidda.bak1
C:\WINDOWS\inf\ksidda.bak2
C:\WINDOWS\izofigas._dl
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\imbrmute.ini
C:\WINDOWS\system32\lyzys.ban
C:\WINDOWS\system32\qonunis.lib
C:\WINDOWS\system32\umigonu.inf
C:\WINDOWS\tajajatugo._dl
C:\WINDOWS\walex.inf
C:\WINDOWS\yqaci._sy

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_PERFMONS
-------\LEGACY_ROUTING
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\perfmons
-------\Routing
-------\Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-02-24 15:25 . 2008-02-24 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 14:25 . 2008-02-24 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-24 14:19 . 2008-02-24 15:00 <DIR> d-------- C:\SDFix
2008-02-24 12:09 . 2008-02-24 12:09 <DIR> d-------- C:\Deckard
2008-02-23 17:27 . 2008-02-23 17:27 <DIR> d-------- C:\_OTMoveIt
2008-02-23 14:14 . 2008-02-23 14:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 07:53 . 2008-02-23 07:54 3,568,275 --a------ C:\EasyShare.dmp
2008-02-22 19:13 . 2008-02-22 19:13 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-22 14:43 . 2008-02-23 14:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-22 14:23 . 2008-02-22 14:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-02-17 09:56 . 2008-02-17 11:40 <DIR> d-------- C:\Documents and Settings\Owner\temp
2008-02-17 09:56 . 2008-02-17 11:40 <DIR> d--h----- C:\Documents and Settings\Owner\QMCache00
2008-02-17 09:56 . 2008-02-17 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 21:04 --------- d-----w C:\Program Files\DIGStream
2008-02-23 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-02-23 14:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-02-23 03:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-23 00:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 23:53 --------- d-----w C:\Program Files\uTorrent
2008-02-22 22:40 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-22 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-02-22 20:51 --------- d-----w C:\Program Files\Yahoo!
2008-02-22 11:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-24 22:40 --------- d-----w C:\Program Files\iTunes
2008-01-24 22:40 --------- d-----w C:\Program Files\iPod
2008-01-24 22:39 --------- d-----w C:\Program Files\Bonjour
2008-01-24 22:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-24 22:37 --------- d-----w C:\Program Files\Apple Software Update
2008-01-24 22:36 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-24 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-21 00:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 21:41 --------- d-----w C:\Program Files\TomTom HOME
2008-01-20 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\TomTom
2007-04-17 14:23 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-04-17 14:23 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-12-03 18:09 284 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-01-06 09:57 1343488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 17:16 192512]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20 50528]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 13:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 151552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 3.8.5.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 3.8.5.lnk
backup=C:\WINDOWS\pss\LimeWire 3.8.5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Organize.lnk
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a--c--- 2003-06-18 20:19 53248 C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 14:55 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
--a--c--- 2003-03-04 06:49 86100 C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
C:\Program Files\LimeShop\LimeShoprun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 18:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-08-19 03:56 852038 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVANAL]
--a------ 2005-08-05 14:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRIVMGR]
C:\Program Files\Anonymizer\Privacy Manager\privmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a--c--- 2002-10-16 17:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPYKILLER]
C:\Program Files\Anonymizer\sk\SpyWareKiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a--c--- 2003-08-14 20:11 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-19 23:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 09:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a--c--- 2004-03-12 14:53 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-01-06 09:57 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 03:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 03:15]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-23 21:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 08:00:00 C:\WINDOWS\Tasks\SpyWareKiller.job"
- C:\Program Files\Anonymizer\sk\SpyWareKiller.exe
"2004-02-18 17:31:21 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-25 23:46:24 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-23 13:35:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:46:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-25 17:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 23:50:24
ComboFix2.txt 2008-02-25 22:31:50
.
2008-02-23 03:07:18 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:30 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134326940812
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4849 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP