Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware, hijack bowser problem

Started by edzinn , Feb 28 2008 02:50 AM

  • Please log in to reply

#1
edzinn
Posted 28 February 2008 - 02:50 AM

edzinn

    Member

  • Member
  • PipPip
  • 11 posts
Hello,
my name is Ed Zinn and I am living and working in China. I work for a small NGO. I am orginally from Ohio
I have a program on my computer that keeps changing the home page to a different page. New page is a page from Thailand (About:People's Republic of Thailand (PRT)")

I have run all the scans recommended and deleted all the spyware and things that I could find. (I ran AVG anti-sypyware, and super antispywar, and panda online scan)
I run ad-aware and spybot on a regualr basis and use AVG for my anit virus.

Here are the results from the Hijack this scan. I can add the results form the previous scans also.
Avg antispyware deleted everything,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:24 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
F:\Program Files\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\New Folder\SUPERAntiSpyware.exe
F:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\program file\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.lvllord.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} -

C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} -

F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil

/RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

/SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

/IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"

/tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09

\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -

atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc]

C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs
O4 - HKLM\..\Run: [ci5ma15rjigleuyl3c2idh8zx36fff7] C:\WINDOWS\SYSTEM32

\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5

\avgas.exe" /minimized
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application

Data\Frag great bend logo\ooze love.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2

\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9]

C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs
O4 - HKCU\..\Run: [9yl2q6ng8m3irrlch0614ae292s8u]

C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs
O4 - HKCU\..\Run: [6e1i6x167fecxadz8y] C:\WINDOWS\6e1i6x167fecxadz8y.vbs
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\New

Folder\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [corn proc] C:\DOCUME~1\Ed\APPLIC~1\RECTCA~1\Wait about.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Fantastic Flame Agent.lnk = F:\Program Files\Fantastic Flame

Screensaver\FantasticFlameAgent.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program

Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program

Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program

Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} -

F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-

48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94F7EC62-3489-4D0A-BD13-BA7CDBE8B9E2}:

NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\New Folder\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog

Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11158 bytes


log for super antispyware scan

SUPERAntiSpyware Scan Log
Generated 02/23/2008 at 02:20 PM

Application Version : 3.6.1000

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Custom Scan
Total Scan Time : 01:42:07

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 4849
Registry threats detected : 10
File items scanned : 83453
File threats detected : 15

Trojan.Downloader-Gen/FotoMoto
HKLM\Software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\InprocServer32
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\InprocServer32#ThreadingModel
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\ProgID
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\Programmable
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\TypeLib
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\NSU974.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733716E1-76D2-4003-AC39-845281C0EF85}

Adware.Tracking Cookie
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
C:\Documents and Settings\Ed\Cookies\[email protected][3].txt
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
C:\Documents and Settings\Ed\Cookies\[email protected][3].txt
C:\Documents and Settings\Ed\Cookies\ed@adinterax[2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
C:\Documents and Settings\Ed\Cookies\[email protected][1].txt

Trojan.Downloader-AUPD
C:\DOCUMENTS AND SETTINGS\ED\LOCAL SETTINGS\TEMP\AUPD.EXE


here are the results from the active scan by panda online scan

Incident Status Location

Virus:Vbs/ReThaRan.A Disinfected Operating system
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Ed\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.com.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.xiti.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ed\Cookies\ed@com[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ed\Cookies\ed@com[2].txt
Virus:Generic Malware Disinfected C:\Documents and Settings\Ed\Local Settings\Temp\comver.dll
Virus:Generic Malware Disinfected C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll
Virus:Vbs/ReThaRan.A Disinfected C:\WINDOWS\system32\ouhym3mcinh8dwv2x07aygzp476z349kcm9aj62b511jjhlxoym3mcinh.vbs
Virus:Vbs/ReThaRan.A Disinfected C:\WINDOWS\system32\x3q7vbu.vbs


Thanks very much for your help and if you need anything else please let me know.
by the way i have just discovered this is now on my laptop also so I will be trying the same thing on it too.

Ed Zinn
  • 0

Advertisements

#2
kahdah
Posted 28 February 2008 - 09:35 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello edzinn

Welcome to G2Go. :)
===================
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)
====================================
Also Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
edzinn
Posted 29 February 2008 - 11:55 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kahdah,
Hello and thanks for helping
here are the results.
01612656.FIL;C:\$VAULT$.AVG;BackDoor.Pigeon.1603;Deleted.;
15997234.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.8316;Deleted.;
16683453.FIL;C:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
RegUBP2b-Ed.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0078798.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP369;Trojan.StartPage.1505;Deleted.;
A0078827.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP369;Trojan.StartPage.1505;Deleted.;
A0078838.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Trojan.StartPage.1505;Deleted.;
A0078848.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Trojan.StartPage.1505;Deleted.;
A0078869.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Trojan.StartPage.1505;Deleted.;
A0078876.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078877.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078878.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078879.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078880.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078882.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370;Probably SCRIPT.Virus;;
A0078884.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP371;Trojan.StartPage.1505;Deleted.;
A0078897.vbs;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP371;Probably SCRIPT.Virus;;
A0079062.reg;C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP376;Trojan.StartPage.1505;Deleted.;
04207500.FIL;F:\$VAULT$.AVG;Trojan.MulDrop.5061;Deleted.;
15230484.FIL;F:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;
23723343.FIL;F:\$VAULT$.AVG;Trojan.MulDrop.5061;Deleted.;
68220625.FIL;F:\$VAULT$.AVG;Trojan.Packed.149;Incurable.Moved.;


Deckard's System Scanner v20071014.68
Run by Ed on 2008-03-01 01:46:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-02-29 17:46:30 UTC - RP377 - Deckard's System Scanner Restore Point
8: 2008-02-29 15:56:02 UTC - RP376 - System Checkpoint
7: 2008-02-28 14:59:17 UTC - RP375 - System Checkpoint
6: 2008-02-27 12:02:12 UTC - RP374 - System Checkpoint
5: 2008-02-26 11:48:02 UTC - RP373 - System Checkpoint


-- First Restore Point --
1: 2008-02-22 04:56:17 UTC - RP369 - Feb222008


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:36 AM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Grisoft\DivoCodec\wakeservice.exe
C:\Documents and Settings\Ed\Desktop\dss.exe
D:\PROGRA~1\NEWFOL~1\Ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lvllord.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MySidesearch Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc] C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs
O4 - HKLM\..\Run: [ci5ma15rjigleuyl3c2idh8zx36fff7] C:\WINDOWS\SYSTEM32\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\ooze love.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9] C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs
O4 - HKCU\..\Run: [9yl2q6ng8m3irrlch0614ae292s8u] C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs
O4 - HKCU\..\Run: [6e1i6x167fecxadz8y] C:\WINDOWS\6e1i6x167fecxadz8y.vbs
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\New Folder\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [corn proc] C:\DOCUME~1\Ed\APPLIC~1\RECTCA~1\Wait about.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Fantastic Flame Agent.lnk = F:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94F7EC62-3489-4D0A-BD13-BA7CDBE8B9E2}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\New Folder\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10954 bytes

-- HijackThis Fixed Entries (D:\PROGRA~1\NEWFOL~1\backups\) --------------------

backup-20080222-111321-141 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = About:People's Republic of Thailand (PRT)
backup-20080222-111337-868 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = About:People's Republic of Thailand (PRT)
backup-20080222-123559-185 O2 - BHO: superiorads browser enhancer - {79F562E5-768C-4494-8E6C-824ADA4A9C2C} - C:\WINDOWS\system32\sprt_ads.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Stealth - c:\windows\system32\drivers\stealth.sys <Not Verified; Generic; STEALTH>
R1 SASDIFSV - d:\program files\new folder\sasdifsv.sys
R1 SASKUTIL - d:\program files\new folder\saskutil.sys
R3 SASENUM - d:\program files\new folder\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-01 01:00:04 248 --ah----- C:\WINDOWS\Tasks\AFA37C6591CCF04D.job
2008-02-27 21:56:15 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-01 and 2008-03-01 -----------------------------

2008-02-29 23:02:51 0 d-------- C:\Documents and Settings\Ed\DoctorWeb
2008-02-26 17:43:44 0 d-------- C:\Program Files\rect cake dash
2008-02-26 17:27:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Frag great bend logo
2008-02-26 17:24:53 0 d-------- C:\Documents and Settings\Ed\Application Data\rect cake dash
2008-02-23 16:14:27 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-23 12:28:58 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-23 12:28:35 0 d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2008-02-22 23:04:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-22 23:03:27 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-22 23:03:27 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-22 23:03:27 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-22 23:03:27 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-22 23:03:27 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-22 23:03:27 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-22 23:03:27 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-22 23:03:27 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-22 23:03:27 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-22 23:03:27 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-22 23:03:27 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-22 23:03:27 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-22 23:03:27 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-22 23:03:27 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-22 22:48:50 0 d-------- C:\Documents and Settings\Ed\Application Data\Grisoft
2008-02-22 10:33:36 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-22 10:33:35 2539 --a------ C:\WINDOWS\unins000.dat
2008-02-21 17:31:52 0 d-------- C:\Program Files\Lavasoft
2008-02-21 17:31:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 17:31:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 17:08:58 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-14 21:54:32 60416 --a------ C:\WINDOWS\system32\sprt_ads.dll
2008-02-14 00:29:32 0 d-------- C:\Program Files\Sierra On-Line
2008-02-11 12:49:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-11 12:25:18 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-02-10 20:50:04 84729 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-02-10 20:48:05 40730 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2008-02-10 20:48:02 80112 --a------ C:\WINDOWS\system32\dcads-remove.exe
2008-02-10 20:48:00 0 d-------- C:\Program Files\Dcads Games Collection
2008-02-09 21:14:20 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-02-08 22:52:36 335872 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll


-- Find3M Report ---------------------------------------------------------------

2008-02-29 16:21:17 0 d-------- C:\Documents and Settings\Ed\Application Data\Skype
2008-02-29 16:18:35 0 d-------- C:\Documents and Settings\Ed\Application Data\AVG7
2008-02-27 22:01:03 0 d-------- C:\Documents and Settings\Ed\Application Data\LimeWire
2008-02-26 19:32:43 16 --a------ C:\WINDOWS\popcinfo.dat
2008-02-26 17:41:05 0 d-------- C:\Documents and Settings\Ed\Application Data\vlc
2008-02-24 13:39:18 0 d-------- C:\Program Files\QuickTime
2008-02-24 13:38:46 0 d-------- C:\Program Files\MSN Messenger
2008-02-24 13:35:18 0 d-------- C:\Program Files\iTunes
2008-02-21 17:31:26 0 d-------- C:\Program Files\Common Files
2008-02-18 17:16:11 0 d-------- C:\Documents and Settings\Ed\Application Data\Lavasoft
2008-02-11 13:04:00 0 d-------- C:\Documents and Settings\Ed\Application Data\Adobe
2008-02-11 12:51:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-10 20:51:09 0 d-------- C:\Documents and Settings\Ed\Application Data\CE
2008-01-23 16:28:34 0 d-------- C:\Program Files\Mplayer
2008-01-01 20:44:07 3532 --a------ C:\drmHeader.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
02/08/2008 10:52 PM 335872 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [05/29/2003 04:28 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [05/30/2003 09:42 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 03:10 AM]
"DAEMON Tools-1033"="F:\Program Files\daemon.exe" [06/19/2002 10:49 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [12/21/2007 03:04 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 12:10 PM]
"kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc"="C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs" []
"ci5ma15rjigleuyl3c2idh8zx36fff7"="C:\WINDOWS\SYSTEM32\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs" []
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 PM]
"bend logo clock film"="C:\Documents and Settings\All Users\Application Data\Frag great bend logo\ooze love.exe" [02/29/2008 10:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [12/01/2006 09:28 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [09/13/2007 01:31 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9"="C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs" []
"9yl2q6ng8m3irrlch0614ae292s8u"="C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs" []
"6e1i6x167fecxadz8y"="C:\WINDOWS\6e1i6x167fecxadz8y.vbs" []
"SUPERAntiSpyware"="D:\Program Files\New Folder\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]
"corn proc"="C:\DOCUME~1\Ed\APPLIC~1\RECTCA~1\Wait about.exe" [02/26/2008 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
PowerReg Scheduler V3.exe [12/20/2006 5:38:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Fantastic Flame Agent.lnk - F:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [4/25/2007 4:33:26 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\New Folder\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\New Folder\SASWINLO.dll 02/27/2007 11:39 AM 282624 D:\Program Files\New Folder\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d683ad3-7b7a-11db-b84a-00112f8263e8}]
AutoRun\command- H:\setup.exe
dinstall\command- H:\Quake3\directx7\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25681e92-c557-11db-b8e5-00112f8263e8}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56fd7790-c493-11db-b8e4-00112f8263e8}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe ovhym4but00l2c01r625mskjhlfvp4d3imeisnzqo4vp7u1gptyx50l2c01.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67379e5a-caf2-11db-b8e8-00112f8263e8}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b39c886-8cae-11db-b86f-00112f8263e8}]
AutoRun\command- I:\ek.com
explore\Command- I:\ek.com
open\Command- I:\ek.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86d32244-65c5-11dc-b9b9-00112f8263e8}]
1\Command- .\RECYCLER\RECYCLER.exe
2\Command- .\RECYCLER\RECYCLER.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1f36b58-948d-11db-b87e-00112f8263e8}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe x3q7v.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1f36b5e-948d-11db-b87e-00112f8263e8}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe y4r8wcut.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1f36b5f-948d-11db-b87e-00112f8263e8}]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3487310C-5FF6-11D2-377D-E452830CEB92}]
C:\WINDOWS\system32\win32gl\svchost.exe s



-- Hosts -----------------------------------------------------------------------

127.0.0.1 hityou.com
127.0.0.1 www.hityou.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 bis.180solutions.com
127.0.0.1 config.180solutions.com
127.0.0.1 cts.180solutions.com
127.0.0.1 downloads.180solutions.com

7980 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-01 01:49:29 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 511.23 MiB / 185.97 MiB
Pagefile Memory (total/avail): 1249.87 MiB / 664.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 4.33 GiB free.
D: is Fixed (NTFS) - 48.83 GiB total, 43.63 GiB free.
E: is Fixed (FAT32) - 6.15 GiB total, 3.68 GiB free.
F: is Fixed (NTFS) - 149.05 GiB total, 31.65 GiB free.
G: is CDROM (No Media)
H: is CDROM (CDFS)

\\.\PHYSICALDRIVE1 - ST3160212A - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - F:

\\.\PHYSICALDRIVE0 - ST3802110A 41N3271 LEN - 74.54 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 55 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)
AV: Eset NOD32 antivirus system 2.51 v2.51 (Eset)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"F:\\Program Files\\PC Games\\Age Of Empires\\age2_x1.exe"="F:\\Program Files\\PC Games\\Age Of Empires\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"F:\\Program Files\\BitComet\\BitComet.exe"="F:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"F:\\Program Files\\Halo.exe"="F:\\Program Files\\Halo.exe:*:Enabled:Halo"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\Battlegrounds.exe"="C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds\\Game\\Battlegrounds.exe:*:Enabled:Star Wars Galactic Battlegrounds"
"F:\\Bit downloads\\Halo\\halo.exe"="F:\\Bit downloads\\Halo\\halo.exe:*:Enabled:Halo"
"F:\\Program Files\\Quake 3 Arena [PCCD][English][newpct.com]By Nachete\\Quake3\\quake3.exe"="F:\\Program Files\\Quake 3 Arena [PCCD][English][newpct.com]By Nachete\\Quake3\\quake3.exe:*:Enabled:quake3"
"D:\\program file\\quake3.exe"="D:\\program file\\quake3.exe:*:Enabled:quake3"
"F:\\Program Files\\Quake 2 + Expansiones [PCCD][English][newpct.com]By Nachete\\Quake2\\quake2xp.exe"="F:\\Program Files\\Quake 2 + Expansiones [PCCD][English][newpct.com]By Nachete\\Quake2\\quake2xp.exe:*:Enabled:quake2xp"
"D:\\program file\\Bin32\\FarCry.exe"="D:\\program file\\Bin32\\FarCry.exe:*:Enabled:Far Cry"
"D:\\program file\\games\\half-life\\Counter-Strike\\cstrike.exe"="D:\\program file\\games\\half-life\\Counter-Strike\\cstrike.exe:*:Enabled:CounterStrike Launcher"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ed\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RUSSELL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ed
LOGONSERVER=\\RUSSELL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ed\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ed\LOCALS~1\Temp
USERDOMAIN=RUSSELL
USERNAME=Ed
USERPROFILE=C:\Documents and Settings\Ed
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ed (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> F:\Program Files\divx\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe GoLive CS2 English --> msiexec /i {46548E80-0409-0000-7E8A-45000F855001}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe InDesign CS2 --> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Backyard Football 2002 --> C:\WINDOWS\IsUninst.exe -fC:\HEGames\Football2002\Uninst.isu -c"C:\HEGames\Football2002\Uninst.dll
Bejeweled 2 Deluxe --> C:\WINDOWS\iun6002ev.exe "C:\Program Files\Bejeweled 2 Deluxe\irunin.ini"
BitComet 0.91 --> F:\Program Files\BitComet\uninst.exe
Browser Optimizer Dcads --> C:\WINDOWS\system32\dcads-remove.exe
CiD Help --> C:\DOCUME~1\Ed\APPLIC~1\RECTCA~1\Wait about.exe -uninstall
Cucusoft DVD to iPod + iPod Video Converter Suite 3.12.3.22 --> "F:\Program Files\ipod-converter\unins000.exe"
Cucusoft DVD to iPod Converter 3.22 --> "F:\Program Files\Cucusoft DVD to iPod Mpeg AVI to DVD VCD SVCD Converter Pro\ipod-converter\unins000.exe"
Cucusoft iPod Movie/Video Converter 2.00 --> "C:\Program Files\Cucusoft\ipod-converter\unins000.exe"
DAEMON Tools --> MsiExec.exe /I{EDB4C5BF-3324-410F-8E1B-60AAB5868CC3}
Dcads Games Collection --> C:\Program Files\Dcads Games Collection\uninstall.exe
DivoCodec version 1.0.0.2 --> "D:\Program Files\Grisoft\DivoCodec\unins000.exe"
DivX Codec --> F:\Program Files\divx\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> F:\Program Files\divx\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> F:\Program Files\divx\ConverterUninstall.exe /CONVERTER
Enhancement Browser Tools Superiorads --> C:\WINDOWS\system32\superiorads-uninst.exe
Fantastic Flame Screensaver --> F:\Program Files\Fantastic Flame Screensaver\uninstall.exe
Far Cry --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Half-Life: Counter-Strike --> D:\PROGRA~1\games\HALF-L~1\COUNTE~1\UNWISE.EXE D:\PROGRA~1\games\HALF-L~1\COUNTE~1\INSTALL.LOG
HijackThis 2.0.2 --> "D:\program file\New Folder\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
LimeWire 4.16.6 --> "D:\LimeWire\uninstall.exe"
LIVE gaming on Windows Runtime Version 1.0.6027 --> MsiExec.exe /X{839916F4-D8B5-4407-BE6D-6D4EB9D96AF4}
Mah Jong Medley --> D:\PROGRA~1\MAHJON~1\UNWISE.EXE /U D:\PROGRA~1\MAHJON~1\INSTALL.LOG
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MySidesearch Search Assistant --> C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OLYMPUS Master 2 --> MsiExec.exe /X{F0FC1E09-AF67-47BC-9E61-90ECFEB4CE82}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quake III Arena --> C:\WINDOWS\IsUninst.exe -f"d:\program file\QIII.isu"
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpeedSim --> F:\Program Files\speed\SpeedSim\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Star Wars Empire at War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe" -l0x9 -removeonly
Star Wars Galactic Battlegrounds --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A202BDBA-753F-41B9-B649-CFB0B45FC03E}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TVUPlayer 2.3.3.2 --> C:\Program Files\TVUPlayer\uninst.exe
VideoLAN VLC media player 0.8.6d --> D:\program file\VLC Player\VLC\uninstall.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6883 / Success
Event Submitted/Written: 02/29/2008 04:21:33 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6874 / Success
Event Submitted/Written: 02/28/2008 10:30:17 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6857 / Success
Event Submitted/Written: 02/28/2008 05:02:49 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6836 / Success
Event Submitted/Written: 02/27/2008 04:02:46 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6827 / Success
Event Submitted/Written: 02/26/2008 04:28:44 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type145322 / Error
Event Submitted/Written: 03/01/2008 01:29:09 AM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer REN
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{94F7EC62-3489-4D0A-BD13.
The master browser is stopping or an election is being forced.

Event Record #/Type145321 / Error
Event Submitted/Written: 02/29/2008 08:44:06 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event Record #/Type145320 / Warning
Event Submitted/Written: 02/29/2008 08:43:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type145319 / Error
Event Submitted/Written: 02/29/2008 08:42:57 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type145318 / Error
Event Submitted/Written: 02/29/2008 08:01:03 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type



-- End of Deckard's System Scanner: finished at 2008-03-01 01:49:29 ------------

Ed Zinn
  • 0

#4
kahdah
Posted 29 February 2008 - 08:19 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
=======================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\6e1i6x167fecxadz8y.vbs
C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs
C:\WINDOWS\SYSTEM32\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs
C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs
C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs
C:\WINDOWS\system32\sprt_ads.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\Documents and Settings\Ed\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe 
C:\WINDOWS\Tasks\AFA37C6591CCF04D.job
C:\Program Files\rect cake dash
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Documents and Settings\Ed\Application Data\rect cake dash
C:\Program Files\Dcads Games Collection
C:\WINDOWS\system32\win32gl
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================
Also post a new Dss log it will only produce one log this time.
  • 0

#5
edzinn
Posted 01 March 2008 - 12:34 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kahdah,
Hello again.
My comupter is no longer being hijacked by that website. I am not sure which scan did the trick.
Thanks
do you see anything else that seems to be a big problem. the computer is still running very slow and I am considering ghosting drive C to see if this will help.
should I run any of these scan on a regular basis?
thanks so much for your help it is greatly appreciated.
ed
here is the results from the move it folder

File/Folder C:\WINDOWS\6e1i6x167fecxadz8y.vbs not found.
File/Folder C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs not found.
File/Folder C:\WINDOWS\SYSTEM32\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs not found.
File/Folder C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs not found.
File/Folder C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs not found.
C:\WINDOWS\system32\sprt_ads.dll unregistered successfully.
C:\WINDOWS\system32\sprt_ads.dll moved successfully.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\system32\superiorads-uninst.exe moved successfully.
C:\WINDOWS\system32\dcads-remove.exe moved successfully.
C:\WINDOWS\system32\mysidesearch_sidebar.dll NOT unregistered.
C:\WINDOWS\system32\mysidesearch_sidebar.dll moved successfully.
C:\Documents and Settings\Ed\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe moved successfully.
C:\WINDOWS\Tasks\AFA37C6591CCF04D.job moved successfully.
C:\Program Files\rect cake dash moved successfully.
Folder move failed. C:\Documents and Settings\All Users\Application Data\Frag great bend logo scheduled to be moved on reboot.
C:\Documents and Settings\Ed\Application Data\rect cake dash moved successfully.
C:\Program Files\Dcads Games Collection moved successfully.
C:\WINDOWS\system32\win32gl moved successfully.

OTMoveIt2 v1.0.20 log created on 03012008_141828
  • 0

#6
kahdah
Posted 01 March 2008 - 07:04 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts

I am considering ghosting drive C

I wouldnt do that yet as you would have an infected backup.

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc] C:\WINDOWS\SYSTEM32\kqduizizjds4m25tsryapcv5b32vz00f0jibfpkwntxlmcrdmqc.vbs
O4 - HKLM\..\Run: [ci5ma15rjigleuyl3c2idh8zx36fff7] C:\WINDOWS\SYSTEM32\ci5ma15rjigleuyl3c2idh8zx36fff7.vbs
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\ooze love.exe
O4 - HKCU\..\Run: [pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9] C:\WINDOWS\pwizn3oe6joj9exw4z28czh0q58146amdbr9bk7o3c62lkimypzn3oe6joj9.vbs
O4 - HKCU\..\Run: [9yl2q6ng8m3irrlch0614ae292s8u] C:\WINDOWS\9yl2q6ng8m3irrlch0614ae292s8u.vbs
O4 - HKCU\..\Run: [6e1i6x167fecxadz8y] C:\WINDOWS\6e1i6x167fecxadz8y.vbs


Now click on Fix Checked and then close Hijackthis.
======================================
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\All Users\Application Data\Frag great bend logo\ooze love.exe
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=============================

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a new Hijackthis log.

  • 0

#7
edzinn
Posted 01 March 2008 - 11:55 PM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kahdah,
Hello agin,
here are the results of the Kaspersky scan and the new hijack this scan.

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:


Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:


When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.











Select: All, None, Suspicious Selected objects: 0




Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.







Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)





Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)





Please wait to update the virus definitions...
Downloading from url:
http://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: soft.xml
Downloading remote file: updcfg.xml
Downloading remote file: kernel.avc
Downloading from url:
http://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading remote file: krnunp.avc
Downloading remote file: krnexe.avc
Downloading remote file: krnmacro.avc
Downloading remote file: krnjava.avc
Downloading remote file: krndos.avc
Downloading remote file: krngen.avc
Downloading remote file: krnexe32.avc
Downloading remote file: krnengn.avc
Downloading remote file: krn001.avc
Downloading remote file: krn002.avc
Downloading remote file: krn003.avc
Downloading remote file: krn004.avc
Downloading remote file: krn005.avc
Downloading remote file: smart.avc
Downloading remote file: ocr.avc
Downloading remote file: chuka.avc
Downloading remote file: fa001.avc
Downloading remote file: base001c.avc
Downloading remote file: base002c.avc
Downloading remote file: base003c.avc
Downloading remote file: base004c.avc
Downloading remote file: base005c.avc
Downloading remote file: base006c.avc
Downloading remote file: base007c.avc
Downloading remote file: base008c.avc
Downloading remote file: base009c.avc
Downloading remote file: base010c.avc
Downloading remote file: base011c.avc
Downloading remote file: base012c.avc
Downloading remote file: base013c.avc
Downloading remote file: base014c.avc
Downloading remote file: base015c.avc
Downloading remote file: base016c.avc
Downloading remote file: base017c.avc
Downloading remote file: base018c.avc
Downloading remote file: base019c.avc
Downloading remote file: base020c.avc
Downloading remote file: base021c.avc
Downloading remote file: base022c.avc
Downloading remote file: base023c.avc
Downloading remote file: base024c.avc
Downloading remote file: base025c.avc
Downloading remote file: base026c.avc
Downloading remote file: base027c.avc
Downloading remote file: base028c.avc
Downloading remote file: base029c.avc
Downloading remote file: base030c.avc
Downloading remote file: base031c.avc
Downloading remote file: base032c.avc
Downloading remote file: base033c.avc
Downloading remote file: base034c.avc
Downloading remote file: base035c.avc
Downloading remote file: base036c.avc
Downloading remote file: base037c.avc
Downloading remote file: base038c.avc
Downloading remote file: base039c.avc
Downloading from url:
ftp://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: base039c.avc
Downloading remote file: base040c.avc
Downloading remote file: base041c.avc
Downloading remote file: base042c.avc
Downloading remote file: base043c.avc
Downloading remote file: base044c.avc
Downloading remote file: base045c.avc
Downloading remote file: base046c.avc
Downloading remote file: base047c.avc
Downloading remote file: base048c.avc
Downloading remote file: base049c.avc
Downloading remote file: base050c.avc
Downloading remote file: base051c.avc
Downloading remote file: base052c.avc
Downloading remote file: base053c.avc
Downloading remote file: base054c.avc
Downloading remote file: base055c.avc
Downloading remote file: base056c.avc
Downloading remote file: base057c.avc
Downloading remote file: base058c.avc
Downloading remote file: base059c.avc
Downloading remote file: base060c.avc
Downloading remote file: base061c.avc
Downloading remote file: base062c.avc
Downloading remote file: base063c.avc
Downloading remote file: base064c.avc
Downloading remote file: base065c.avc
Downloading remote file: base066c.avc
Downloading remote file: base067c.avc
Downloading remote file: base068c.avc
Downloading remote file: base069c.avc
Downloading remote file: base070c.avc
Downloading remote file: base071c.avc
Downloading remote file: base072c.avc
Downloading remote file: base073c.avc
Downloading remote file: base074c.avc
Downloading remote file: base075c.avc
Downloading remote file: base076c.avc
Downloading remote file: base077c.avc
Downloading remote file: base078c.avc
Downloading remote file: base079c.avc
Downloading remote file: base080c.avc
Downloading remote file: base081c.avc
Downloading remote file: base082c.avc
Downloading remote file: base083c.avc
Downloading remote file: base084c.avc
Downloading remote file: base085c.avc
Downloading remote file: base086c.avc
Downloading remote file: base087c.avc
Downloading remote file: base088c.avc
Downloading remote file: base089c.avc
Downloading remote file: base090c.avc
Downloading remote file: base091c.avc
Downloading remote file: base092c.avc
Downloading remote file: base093c.avc
Downloading remote file: base094c.avc
Downloading remote file: base095c.avc
Downloading remote file: base096c.avc
Downloading remote file: base097c.avc
Downloading remote file: base098c.avc
Downloading remote file: base099c.avc
Downloading remote file: base100c.avc
Downloading remote file: base101c.avc
Downloading remote file: base102c.avc
Downloading remote file: base103c.avc
Downloading remote file: base104c.avc
Downloading remote file: base105c.avc
Downloading remote file: base106c.avc
Downloading remote file: base107c.avc
Downloading remote file: base108c.avc
Downloading remote file: base109c.avc
Downloading remote file: base110c.avc
Downloading remote file: base111c.avc
Downloading remote file: base112c.avc
Downloading remote file: base113c.avc
Downloading remote file: base114c.avc
Downloading remote file: base115c.avc
Downloading remote file: dailyc.avc
Downloading remote file: ext001c.avc
Downloading remote file: ext002c.avc
Downloading remote file: ext003c.avc
Downloading remote file: ext004c.avc
Downloading remote file: ext005c.avc
Downloading remote file: ext006c.avc
Downloading remote file: ext007c.avc
Downloading remote file: ext008c.avc
Downloading remote file: ext009c.avc
Downloading remote file: ext010c.avc
Downloading remote file: ext011c.avc
Downloading remote file: ext012c.avc
Downloading remote file: ext013c.avc
Downloading remote file: ext014c.avc
Downloading remote file: daily-ec.avc
Downloading remote file: base001.avc
Downloading remote file: base002.avc
Downloading remote file: base003.avc
Downloading remote file: base004.avc
Downloading remote file: base005.avc
Downloading remote file: base006.avc
Downloading remote file: base007.avc
Downloading remote file: base008.avc
Downloading remote file: base009.avc
Downloading remote file: base010.avc
Downloading remote file: base011.avc
Downloading remote file: base012.avc
Downloading remote file: base013.avc
Downloading remote file: base014.avc
Downloading remote file: base015.avc
Downloading remote file: base016.avc
Downloading remote file: base017.avc
Downloading remote file: base018.avc
Downloading remote file: base019.avc
Downloading remote file: base020.avc
Downloading remote file: base021.avc
Downloading remote file: base022.avc
Downloading remote file: base023.avc
Downloading remote file: base024.avc
Downloading remote file: base025.avc
Downloading remote file: base026.avc
Downloading remote file: base027.avc
Downloading remote file: base028.avc
Downloading remote file: base029.avc
Downloading remote file: base030.avc
Downloading remote file: base031.avc
Downloading remote file: base032.avc
Downloading remote file: base033.avc
Downloading remote file: base034.avc
Downloading remote file: base035.avc
Downloading remote file: base036.avc
Downloading remote file: base037.avc
Downloading remote file: base038.avc
Downloading remote file: base039.avc
Downloading remote file: base040.avc
Downloading remote file: base041.avc
Downloading remote file: base042.avc
Downloading remote file: base043.avc
Downloading remote file: base044.avc
Downloading remote file: base045.avc
Downloading remote file: base046.avc
Downloading remote file: base047.avc
Downloading remote file: base048.avc
Downloading remote file: base049.avc
Downloading remote file: base050.avc
Downloading remote file: base051.avc
Downloading remote file: base052.avc
Downloading remote file: base053.avc
Downloading remote file: base054.avc
Downloading remote file: base055.avc
Downloading remote file: base056.avc
Downloading remote file: base057.avc
Downloading remote file: base058.avc
Downloading remote file: base059.avc
Downloading remote file: base060.avc
Downloading remote file: base061.avc
Downloading remote file: base062.avc
Downloading remote file: base063.avc
Downloading remote file: base064.avc
Downloading remote file: base065.avc
Downloading remote file: base066.avc
Downloading remote file: base067.avc
Downloading remote file: base068.avc
Downloading remote file: base069.avc
Downloading remote file: base070.avc
Downloading remote file: base071.avc
Downloading remote file: base072.avc
Downloading remote file: base073.avc
Downloading remote file: base074.avc
Downloading remote file: base075.avc
Downloading remote file: base076.avc
Downloading remote file: base077.avc
Downloading remote file: base078.avc
Downloading remote file: base079.avc
Downloading remote file: base080.avc
Downloading remote file: base081.avc
Downloading remote file: base082.avc
Downloading remote file: base083.avc
Downloading remote file: base084.avc
Downloading remote file: base085.avc
Downloading remote file: base086.avc
Downloading remote file: base087.avc
Downloading remote file: base088.avc
Downloading remote file: base089.avc
Downloading remote file: base090.avc
Downloading remote file: base091.avc
Downloading remote file: base092.avc
Downloading remote file: base093.avc
Downloading remote file: base094.avc
Downloading remote file: base095.avc
Downloading remote file: base096.avc
Downloading remote file: base097.avc
Downloading remote file: base098.avc
Downloading remote file: base099.avc
Downloading remote file: base100.avc
Downloading remote file: base101.avc
Downloading remote file: base102.avc
Downloading remote file: base103.avc
Downloading remote file: base104.avc
Downloading remote file: base105.avc
Downloading remote file: base106.avc
Downloading remote file: base107.avc
Downloading remote file: base108.avc
Downloading remote file: base109.avc
Downloading remote file: base110.avc
Downloading remote file: base111.avc
Downloading remote file: base112.avc
Downloading remote file: base113.avc
Downloading remote file: base114.avc
Downloading remote file: base115.avc
Downloading remote file: base116.avc
Downloading remote file: base117.avc
Downloading remote file: base118.avc
Downloading remote file: base119.avc
Downloading remote file: base120.avc
Downloading remote file: base121.avc
Downloading remote file: base122.avc
Downloading remote file: base123.avc
Downloading remote file: base124.avc
Downloading remote file: base125.avc
Downloading remote file: base126.avc
Downloading remote file: base127.avc
Downloading remote file: base128.avc
Downloading remote file: base129.avc
Downloading remote file: base130.avc
Downloading remote file: base131.avc
Downloading remote file: base132.avc
Downloading remote file: base133.avc
Downloading remote file: base134.avc
Downloading remote file: base135.avc
Downloading remote file: base136.avc
Downloading remote file: base137.avc
Downloading remote file: base138.avc
Downloading remote file: base139.avc
Downloading remote file: base140.avc
Downloading remote file: base141.avc
Downloading remote file: base142.avc
Downloading remote file: base143.avc
Downloading remote file: base144.avc
Downloading remote file: base145.avc
Downloading remote file: base146.avc
Downloading remote file: base147.avc
Downloading remote file: base148.avc
Downloading remote file: base149.avc
Downloading remote file: base150.avc
Downloading remote file: base151.avc
Downloading remote file: base152.avc
Downloading remote file: base153.avc
Downloading remote file: base154.avc
Downloading remote file: base155.avc
Downloading remote file: base156.avc
Downloading remote file: base157.avc
Downloading remote file: base158.avc
Downloading remote file: base159.avc
Downloading remote file: base160.avc
Downloading remote file: base161.avc
Downloading remote file: base162.avc
Downloading remote file: base163.avc
Downloading remote file: base999.avc
Downloading remote file: unp000.avc
Downloading remote file: unp001.avc
Downloading remote file: unp002.avc
Downloading remote file: unp003.avc
Downloading remote file: unp004.avc
Downloading remote file: unp005.avc
Downloading remote file: unp006.avc
Downloading remote file: unp007.avc
Downloading remote file: unp008.avc
Downloading remote file: unp009.avc
Downloading remote file: unp010.avc
Downloading remote file: unp011.avc
Downloading remote file: unp012.avc
Downloading remote file: unp013.avc
Downloading remote file: unp014.avc
Downloading remote file: unp015.avc
Downloading remote file: unp016.avc
Downloading remote file: unp017.avc
Downloading remote file: unp018.avc
Downloading remote file: unp019.avc
Downloading remote file: unp020.avc
Downloading remote file: unp021.avc
Downloading remote file: unp022.avc
Downloading remote file: unp023.avc
Downloading remote file: unp024.avc
Downloading remote file: unp025.avc
Downloading remote file: unp026.avc
Downloading remote file: unp027.avc
Downloading remote file: unp028.avc
Downloading remote file: unp029.avc
Downloading remote file: unp030.avc
Downloading remote file: unp031.avc
Downloading remote file: unp032.avc
Downloading remote file: unp033.avc
Downloading remote file: unp034.avc
Downloading remote file: unp035.avc
Downloading remote file: unp036.avc
Downloading remote file: unp037.avc
Downloading remote file: unp038.avc
Downloading remote file: unp039.avc
Downloading remote file: daily.avc
Downloading remote file: daily-ex.avc
Downloading remote file: urgent.avc
Downloading remote file: mail.avc
Downloading remote file: ext001.avc
Downloading remote file: ext002.avc
Downloading remote file: ext003.avc
Downloading remote file: ext004.avc
Downloading remote file: ext005.avc
Downloading remote file: ext006.avc
Downloading remote file: ext007.avc
Downloading remote file: ext008.avc
Downloading remote file: ext009.avc
Downloading remote file: ext999.avc
Downloading remote file: gen001.avc
Downloading remote file: gen002.avc
Downloading remote file: gen003.avc
Downloading remote file: gen004.avc
Downloading remote file: gen005.avc
Downloading remote file: gen999.avc
Downloading remote file: ca.avc
Downloading remote file: fa.avc
Downloading remote file: eicar.avc
Downloading remote file: verdicts.ini
Downloading remote file: engine.dt
Downloading remote file: engine.cfg
Downloading remote file: avcmhk5.mhk
Downloading remote file: black.lst
Downloading remote file: avp.set
Downloading remote file: avp_ext.set
Downloading remote file: avp_x.set
Downloading remote file: avp.vnd
Downloading remote file: avp.klb
Downloading remote file: soft.ver
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.



Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file





Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Selected target: My Computer
Source: A:\; C:\; D:\; E:\; F:\; G:\; H:\;


Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:







Total number of scanned objects:94643
Number of viruses found:2
Number of infected objects:7
Number of suspicious objects:0
Duration of the scan process:01:27:45
Stop Scan








Get a Free Trial


Buy Kaspersky Anti-Virus


Help


Virus Encyclopedia


Kaspersky Lab






Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Saturday, March 01, 2008 and contains
592239 records.

System Info
Operating System: Microsoft Windows XP Home
Edition, Service Pack 2 (Build 2600)Please wait
while the Kaspersky Online Scanner is initializing
and updating...





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:42 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\program file\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lvllord.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\New Folder\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [corn proc] C:\DOCUME~1\Ed\APPLIC~1\RECTCA~1\Wait about.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Fantastic Flame Agent.lnk = F:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94F7EC62-3489-4D0A-BD13-BA7CDBE8B9E2}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\New Folder\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10137 bytes


thanks
ed
PS when i said I was thingk of ghosting C:drive I meant to use the ghost progam and reset it to the values when I purchased the cmputer, not setting a ghost now.
ed
  • 0

#8
kahdah
Posted 02 March 2008 - 08:10 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok we are almost done.

That is the wrong log I need to see the reulsts log that shows the infection points please.
  • 0

#9
edzinn
Posted 03 March 2008 - 03:22 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
kahdah,
I will try again, but i could not find a place to save the scan, so maybe it did not load completely. that was the only way i could save it.
will run again and see if I can save it.
ed
  • 0

#10
kahdah
Posted 03 March 2008 - 03:36 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hmmm try this one instead
Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report

  • 0

Advertisements

#11
edzinn
Posted 03 March 2008 - 07:34 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kahdah
I ran the Kaspersky again and this is the result, do you want to run the panda online scan again?
ed

KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 9:27:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 593880
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 95486
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:32:06

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Ed\LOCALS~1\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF4233.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF46DC.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF8B82.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078876.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078877.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078878.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078879.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078880.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078882.vbs Object is locked skipped
C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP379\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\004) Pink Floyd - Comfortably Numb.mp3.bc! Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\031) Ted Nugent - Stranglehold.mp3.bc! Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\040) Steely Dan - Reelin' in the Years.mp3.bc! Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\044) Pearl Jam - Alive.mp3.bc! Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\045) Doors - Light My Fire.mp3.bc! Object is locked skipped
F:\Bit downloads\100 Greatest Rock Guitar Solos\085) David Bowie - Moonage Daydream.mp3.bc! Object is locked skipped
F:\Bit downloads\AA.VV. - 100 Hits Forever\100 Hits For Ever CD3\3-10 You've Made Me So Very Happy.mp3.bc! Object is locked skipped
F:\Bit downloads\AA.VV. - 100 Hits Forever\100 Hits For Ever CD3\3-15 Brown Eyed Girl.mp3.bc! Object is locked skipped
F:\Bit downloads\AA.VV. - 100 Hits Forever\100 Hits For Ever CD5\5-03 The Final Countdown.mp3.bc! Object is locked skipped
F:\Bit downloads\AA.VV. - 100 Hits Forever\100 Hits For Ever CD6\6-12 You're the only one I love.mp3.bc! Object is locked skipped
F:\Bit downloads\Aliens.Vs.Predator.DVD.Collection.[PC-DVD].[2007]-DEVILSEYE\Aliens.Vs.Predator.DVD.Collection.[PC-DVD].[2007]-DEVILSEYE.iso.bc! Object is locked skipped
F:\Bit downloads\Need For Speed Underground (Originail Images) (Play Online)\CD 1\NFS U CD1INSTAL.iso.bc! Object is locked skipped
F:\Bit downloads\Smallville.S07E12.PROPER.HDTV.XviD-XOR.avi.bc! Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP379\change.log Object is locked skipped

Scan process completed.
  • 0

#12
kahdah
Posted 03 March 2008 - 07:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No that was the log I needed to see.
And it is clean :)

Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
=======================
After that please update your Java:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4 and save it to your desktop.
  • Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
===========================================================================
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.


How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
===================================================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#13
edzinn
Posted 04 March 2008 - 05:17 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kahdah,
I went ahead and ran the panda scan also.
we are working on the java update, it has not updated automatically for a long time.
i am begining the process for my laptop it has the same problem
should I start a new post or just continue this one?
if I make a donation where does it go.

here is the result of the panda scan if you are interested

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-03-04 19:13:32
PROTECTIONS: 2
MALWARE: 17
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.516 7.5.516 Yes Yes
Eset NOD32 antivirus system 2.51 2.51 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.247realmedia.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.xiti.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\[email protected][1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\[email protected][2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\6613q2y5.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@questionmarket[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Ed\Cookies\ed@atwola[2].txt
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Documents and Settings\Ed\Local Settings\Temp\nircmd.exe
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7S1VKZ41\Flash_Disinfector[1].exe[nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Ed\Desktop\Flash_Disinfector.exe[nircmd.exe]
00527204 Application/PRScheduler HackTools No 0 Yes No C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP379\A0079284.exe
01048936 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078881.dll
02698213 Adware/DivoCodec Adware No 0 Yes No C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP373\snapshot\MFEX-2.DAT
02698213 Adware/DivoCodec Adware No 0 Yes No D:\Program Files\Grisoft\DivoCodec\WakeService.exe
02698214 Adware/DivoCodec Adware No 0 Yes No D:\Program Files\Grisoft\DivoCodec\WakeSplitter.ax
02698214 Adware/DivoCodec Adware No 0 Yes No C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP373\snapshot\MFEX-1.DAT
02729337 Vbs/ReThaRan.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B1AE7DD7-F8CF-4244-9B35-B955D004E69A}\RP370\A0078879.vbs
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


thanks
ed
  • 0

#14
kahdah
Posted 04 March 2008 - 07:32 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Donations go directly to me.

If you have another computer with a malware problem when we are done here you can post a Hijackthis log in this thread and I will help you clean it.

Just some leftovers.
=====================
Please download the OTMoveIt2 by OldTimer.(Unless you still have it)
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Ed\Local Settings\Temp\nircmd.exe
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7S1VKZ41\Flash_Disinfector[1].exe
D:\Program Files\Grisoft\DivoCodec\WakeService.exe
D:\Program Files\Grisoft\DivoCodec\WakeSplitter.ax
D:\Program Files\Grisoft\DivoCodec
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==================================================================
Post the OT MOveit 2 log and we will finish this one.
  • 0

#15
edzinn
Posted 07 March 2008 - 07:47 AM

edzinn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
kahdah
hello again, here is the information from my laptop. it had teh same problem going to a thailand web sitel. which appreas to be gone now but i was wondering if there is anything else I need to clean out.
thanks

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:23 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sh/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1180614466662
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 8641 bytes


panda scan

Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Virus:Vbs/ReThaRan.A Disinfected C:\WINDOWS\fm9pdv4e8umjohx1pn6l7hkb07zyw9d2it7c.vbs
Virus:Vbs/ReThaRan.A Disinfected C:\WINDOWS\o542q6ng8m3irrlch0614ae292s8u37cofdtcbnaqff956kp0sq6ng8m3irrl.vbs
Virus:Vbs/ReThaRan.A Disinfected C:\WINDOWS\system32\qwj0o4loe7k1gpjafyx4z28c0i1r69156bmdbr9cl8o3d73linyqo4loe7k1gpjaf.vbs
AVG found 3 viruses but i can't get the log
c:/windows\fm9pdv4e8umjohx1pn617hkb07zyw0d2it7c.vbs
c:/windows\o542q6ng8m3irrlch0614ae292s8u37cofdtcbnaqff956kp0sq6n8m3irr.vbs
c:windows\sysytem32\qwj0o4loe7k1gpjafyx4z28c0i1r69156bmdbr9cl8o3d73linyqo4loe7k1gpjaf.vbs

I am tyrying to find the reports for the avg spyware and superanitspyware. i will post as soon as i find or run again.
thanks
ed
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP