Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack Log inside-Win Live Messenger and pop up issues [RESOLVED]

Started by cota33 , Feb 28 2008 10:30 PM

  • This topic is locked This topic is locked

#1
cota33
Posted 28 February 2008 - 10:30 PM

cota33

    Member

  • Member
  • PipPip
  • 12 posts
My messenger is sending out porn links to my contacts. Also have pop ups. Noticed yesterday while on my computer it looked like someone else was typing in my address bar. I ran Norton Virus scan and avg. Found a winbot32 and tracking cookies. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:33 PM, on 2/28/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\xcopy32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Windows\ehome\ehmsas.exe
C:\ProgramData\MSNCS\data\dpnsvrm.exe
C:\ProgramData\MSNCS\data\vssvcm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MT6451
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [adsnwm] C:\Windows\system32\adsnwm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Microsoft Windows Update] C:\Windows\ctfmon.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] xcopy32.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFEBB90-F23F-4A38-A03F-858285E72F4D}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9624 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 29 February 2008 - 01:05 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download MsnCleaner.zip and Save it to your Desktop.
  • Unzip it to the Desktop.
  • Now reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit Enter.
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post along with a new HJT log.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
cota33
Posted 29 February 2008 - 06:24 PM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks. The second program only gave me a main.txt. Here is what I have.

- Logfile MSNCleaner 1.5.5 by www.forospyware.com
- Created Logfile: 2/29/2008 on 4:21:24 PM
- Operative System: Windows Vista
- Boot mode: Safe mode
_________________________________________

Detected files: 3
Deleted file: 0
Undeleted Files: 0

C:\Users\Effaney\AppData\Local\Temp\svchost.exe
C:\Windows\nsreg.dat
C:\Windows\svchost.exe



Deckard's System Scanner v20071014.68
Run by Effaney on 2008-02-29 18:06:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Effaney.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:31 PM, on 2/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\xcopy32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\ProgramData\MSNCS\data\dpnsvrm.exe
C:\ProgramData\MSNCS\data\vssvcm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Effaney\Desktop\dss.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Effaney.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MT6451
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [adsnwm] C:\Windows\system32\adsnwm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Microsoft Windows Update] C:\Windows\ctfmon.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] xcopy32.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFEBB90-F23F-4A38-A03F-858285E72F4D}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9832 bytes

-- Files created between 2008-01-29 and 2008-02-29 -----------------------------

2008-02-29 16:21:16 0 d-------- C:\BackUpMSNCleaner
2008-02-28 22:26:16 0 d-------- C:\Program Files\Trend Micro
2008-02-28 17:13:09 0 d-------- C:\Program Files\PopCap Games
2008-02-28 17:11:47 0 d-------- C:\Program Files\Zuma Deluxe
2008-02-28 02:30:06 0 d-------- C:\Users\All Users\ZangoSA
2008-02-28 02:30:06 0 d-------- C:\Users\All Users\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2008-02-28 02:29:38 0 d-------- C:\Program Files\Zango
2008-02-27 17:56:03 0 d-------- C:\Users\Effaney\LimeWire Shared
2008-02-27 12:10:10 614400 -r-hs---- C:\Windows\xcopy32.exe
2008-02-26 14:15:53 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 14:15:26 0 d-------- C:\Program Files\Windows Live
2008-02-26 14:14:27 0 d-------- C:\Users\All Users\WLInstaller
2008-02-25 22:44:37 0 d-------- C:\Users\All Users\PopCap Games
2008-02-25 22:43:11 0 d-------- C:\Program Files\Yahoo! Games
2008-02-21 13:52:22 164352 --a------ C:\Windows\system32\unrar.dll
2008-02-21 13:52:19 217088 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-02-21 13:52:19 159839 --a------ C:\Windows\system32\xvidvfw.dll
2008-02-21 13:52:19 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-02-21 13:52:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-02-21 13:52:18 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 13:52:16 682496 --a------ C:\Windows\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 13:52:15 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-02-21 13:52:13 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-02-19 08:19:39 0 d-------- C:\Program Files\PCPitstop
2008-02-15 14:37:43 0 d-------- C:\Program Files\ATI Technologies
2008-02-15 14:37:39 0 d-------- C:\Program Files\ATI
2008-02-11 15:30:25 0 d-------- C:\My Games
2008-02-11 15:27:13 0 d-------- C:\Program Files\RealArcade
2008-02-09 13:36:18 614400 --a------ C:\Windows\svchost.exe
2008-02-06 16:55:42 0 d-------- C:\Users\Effaney\LimeWire Store Purchased
2008-02-05 22:57:59 0 d-------- C:\Program Files\Norton 360
2008-02-05 22:52:59 0 d-------- C:\Program Files\Symantec
2008-02-05 22:52:52 0 d-------- C:\Users\All Users\Symantec
2008-02-05 22:51:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:34:32 1158 --a------ C:\Windows\mozver.dat
2008-02-04 16:25:51 0 --a------ C:\Windows\nsreg.dat
2008-01-30 08:27:46 0 d-------- C:\Users\All Users\Lavasoft
2008-01-30 08:26:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-02-29 16:17:36 12 --a------ C:\Windows\bthservsdp.dat
2008-02-29 00:53:04 0 d-------- C:\Users\Effaney\AppData\Roaming\LimeWire
2008-02-28 02:30:03 0 d-------- C:\Users\Effaney\AppData\Roaming\WeatherDPA
2008-02-28 02:29:38 0 d-------- C:\Users\Effaney\AppData\Roaming\Zango
2008-02-26 14:15:53 0 d-------- C:\Program Files\Common Files
2008-02-21 19:12:40 0 d-------- C:\Users\Effaney\AppData\Roaming\Media Player Classic
2008-02-20 12:48:24 2110 --a------ C:\Users\Effaney\AppData\Roaming\wklnhst.dat
2008-02-13 10:49:20 0 d-------- C:\Program Files\Maxima-5.14.0
2008-02-11 15:53:37 0 d-------- C:\Users\Effaney\AppData\Roaming\BloodTies
2008-02-09 09:33:26 0 d-------- C:\Users\Effaney\AppData\Roaming\PictureTrail
2008-02-06 16:51:03 0 d-------- C:\Program Files\LimeWire
2008-02-06 10:28:21 0 d-------- C:\Users\Effaney\AppData\Roaming\Symantec
2008-02-04 16:25:48 0 d-------- C:\Users\Effaney\AppData\Roaming\Mozilla
2008-02-04 16:06:36 0 d-------- C:\Program Files\DivX
2008-02-04 14:05:07 0 d-------- C:\Users\Effaney\AppData\Roaming\Move Networks
2008-02-03 21:20:04 0 d-------- C:\Users\Effaney\AppData\Roaming\Opera
2008-01-30 08:27:47 0 d-------- C:\Program Files\Lavasoft
2008-01-28 07:25:41 0 d-------- C:\Program Files\Real
2008-01-28 07:14:36 0 d-------- C:\Program Files\Coupons
2008-01-27 08:33:27 0 d-------- C:\Users\Effaney\AppData\Roaming\Adobe
2008-01-24 14:18:47 122824 --a------ C:\Windows\hpoins14.dat
2008-01-24 14:15:52 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-24 14:15:20 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 14:10:48 0 d-------- C:\Program Files\HP
2008-01-09 10:30:28 0 d-------- C:\Program Files\Windows Mail
2008-01-09 10:24:51 0 d-------- C:\Program Files\Windows Sidebar
2007-12-31 22:04:26 0 d-------- C:\Users\Effaney\AppData\Roaming\UseNeXT
2007-12-31 17:40:43 0 d-------- C:\Program Files\PANTECH


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}]
C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"= C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}]
[HKEY_CLASSES_ROOT\HostIE.Bho.1]
[HKEY_CLASSES_ROOT\TypeLib\{A57470DE-14C7-4FCD-9D4C-E5711F24F0ED}]
[HKEY_CLASSES_ROOT\HostIE.Bho]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/12/2007 04:33 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/19/2006 06:37 PM]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [10/23/2006 10:40 PM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 10:43 PM]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [11/16/2006 06:04 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/11/2007 12:52 PM]
"DropBoxUtility"="C:\Program Files\DropBox\DropBox\DropBox.exe" [12/02/2007 04:26 PM]
"adsnwm"="C:\Windows\system32\adsnwm.exe" [04/04/2007 10:24 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"Microsoft Windows Update"="C:\Windows\ctfmon.exe" []
"Microsoft Windows Automatic Updater"="xcopy32.exe" [02/09/2008 01:36 PM C:\Windows\xcopy32.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 06:35 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 06:36 AM]
"WeatherDPA"="C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" []

C:\Users\Effaney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [11/8/2007 6:51:12 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-29 18:08:24 ------------
  • 0

#4
Rorschach112
Posted 29 February 2008 - 06:34 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [adsnwm] C:\Windows\system32\adsnwm.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] C:\Windows\ctfmon.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] xcopy32.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Users\All Users\ZangoSA
C:\Users\All Users\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Program Files\Zango
C:\Windows\xcopy32.exe
C:\Windows\svchost.exe
C:\Program Files\Zango
C:\Windows\ctfmon.exe
C:\Windows\system32\adsnwm.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#5
cota33
Posted 29 February 2008 - 07:07 PM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Deckard's System Scanner v20071014.68
Run by Effaney on 2008-02-29 19:06:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Effaney.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:39 PM, on 2/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Users\Effaney\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Effaney.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MT6451
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFEBB90-F23F-4A38-A03F-858285E72F4D}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9146 bytes

-- Files created between 2008-01-29 and 2008-02-29 -----------------------------

2008-02-29 16:21:16 0 d-------- C:\BackUpMSNCleaner
2008-02-28 22:26:16 0 d-------- C:\Program Files\Trend Micro
2008-02-28 17:13:09 0 d-------- C:\Program Files\PopCap Games
2008-02-28 17:11:47 0 d-------- C:\Program Files\Zuma Deluxe
2008-02-28 02:29:38 0 d-------- C:\Program Files\Zango
2008-02-27 17:56:03 0 d-------- C:\Users\Effaney\LimeWire Shared
2008-02-27 12:10:10 614400 -r-hs---- C:\Windows\xcopy32.exe
2008-02-26 14:15:53 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 14:15:26 0 d-------- C:\Program Files\Windows Live
2008-02-26 14:14:27 0 d-------- C:\Users\All Users\WLInstaller
2008-02-25 22:44:37 0 d-------- C:\Users\All Users\PopCap Games
2008-02-25 22:43:11 0 d-------- C:\Program Files\Yahoo! Games
2008-02-21 13:52:22 164352 --a------ C:\Windows\system32\unrar.dll
2008-02-21 13:52:19 217088 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-02-21 13:52:19 159839 --a------ C:\Windows\system32\xvidvfw.dll
2008-02-21 13:52:19 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-02-21 13:52:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-02-21 13:52:18 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 13:52:16 682496 --a------ C:\Windows\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 13:52:15 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-02-21 13:52:13 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-02-19 08:19:39 0 d-------- C:\Program Files\PCPitstop
2008-02-15 14:37:43 0 d-------- C:\Program Files\ATI Technologies
2008-02-15 14:37:39 0 d-------- C:\Program Files\ATI
2008-02-11 15:30:25 0 d-------- C:\My Games
2008-02-11 15:27:13 0 d-------- C:\Program Files\RealArcade
2008-02-09 13:36:18 614400 --a------ C:\Windows\svchost.exe
2008-02-06 16:55:42 0 d-------- C:\Users\Effaney\LimeWire Store Purchased
2008-02-05 22:57:59 0 d-------- C:\Program Files\Norton 360
2008-02-05 22:52:59 0 d-------- C:\Program Files\Symantec
2008-02-05 22:52:52 0 d-------- C:\Users\All Users\Symantec
2008-02-05 22:51:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:34:32 1158 --a------ C:\Windows\mozver.dat
2008-02-04 16:25:51 0 --a------ C:\Windows\nsreg.dat
2008-01-30 08:27:46 0 d-------- C:\Users\All Users\Lavasoft
2008-01-30 08:26:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-02-29 19:00:02 12 --a------ C:\Windows\bthservsdp.dat
2008-02-29 00:53:04 0 d-------- C:\Users\Effaney\AppData\Roaming\LimeWire
2008-02-28 02:30:03 0 d-------- C:\Users\Effaney\AppData\Roaming\WeatherDPA
2008-02-28 02:29:38 0 d-------- C:\Users\Effaney\AppData\Roaming\Zango
2008-02-26 14:15:53 0 d-------- C:\Program Files\Common Files
2008-02-21 19:12:40 0 d-------- C:\Users\Effaney\AppData\Roaming\Media Player Classic
2008-02-20 12:48:24 2110 --a------ C:\Users\Effaney\AppData\Roaming\wklnhst.dat
2008-02-13 10:49:20 0 d-------- C:\Program Files\Maxima-5.14.0
2008-02-11 15:53:37 0 d-------- C:\Users\Effaney\AppData\Roaming\BloodTies
2008-02-09 09:33:26 0 d-------- C:\Users\Effaney\AppData\Roaming\PictureTrail
2008-02-06 16:51:03 0 d-------- C:\Program Files\LimeWire
2008-02-06 10:28:21 0 d-------- C:\Users\Effaney\AppData\Roaming\Symantec
2008-02-04 16:25:48 0 d-------- C:\Users\Effaney\AppData\Roaming\Mozilla
2008-02-04 16:06:36 0 d-------- C:\Program Files\DivX
2008-02-04 14:05:07 0 d-------- C:\Users\Effaney\AppData\Roaming\Move Networks
2008-02-03 21:20:04 0 d-------- C:\Users\Effaney\AppData\Roaming\Opera
2008-01-30 08:27:47 0 d-------- C:\Program Files\Lavasoft
2008-01-28 07:25:41 0 d-------- C:\Program Files\Real
2008-01-28 07:14:36 0 d-------- C:\Program Files\Coupons
2008-01-27 08:33:27 0 d-------- C:\Users\Effaney\AppData\Roaming\Adobe
2008-01-24 14:18:47 122824 --a------ C:\Windows\hpoins14.dat
2008-01-24 14:15:52 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-24 14:15:20 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 14:10:48 0 d-------- C:\Program Files\HP
2008-01-09 10:30:28 0 d-------- C:\Program Files\Windows Mail
2008-01-09 10:24:51 0 d-------- C:\Program Files\Windows Sidebar
2007-12-31 22:04:26 0 d-------- C:\Users\Effaney\AppData\Roaming\UseNeXT
2007-12-31 17:40:43 0 d-------- C:\Program Files\PANTECH


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/12/2007 04:33 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/19/2006 06:37 PM]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [10/23/2006 10:40 PM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 10:43 PM]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [11/16/2006 06:04 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/11/2007 12:52 PM]
"DropBoxUtility"="C:\Program Files\DropBox\DropBox\DropBox.exe" [12/02/2007 04:26 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 06:35 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 06:36 AM]
"WeatherDPA"="C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" []

C:\Users\Effaney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [11/8/2007 6:51:12 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-29 19:07:27 ------------
  • 0

#6
Rorschach112
Posted 29 February 2008 - 07:47 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\Zango
C:\Windows\xcopy32.exe
C:\Windows\svchost.exe
C:\Users\Effaney\AppData\Roaming\Zango
C:\Program Files\Coupons
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new DSS log
  • 0

#7
cota33
Posted 29 February 2008 - 11:44 PM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Deckard's System Scanner v20071014.68
Run by Effaney on 2008-02-29 23:39:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Effaney.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:02 PM, on 2/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Effaney\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Effaney.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MT6451
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TB&M=MT6451
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFEBB90-F23F-4A38-A03F-858285E72F4D}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 8921 bytes

-- Files created between 2008-01-29 and 2008-02-29 -----------------------------

2008-02-29 20:57:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-02-29 20:57:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-29 16:21:16 0 d-------- C:\BackUpMSNCleaner
2008-02-28 22:26:16 0 d-------- C:\Program Files\Trend Micro
2008-02-28 17:13:09 0 d-------- C:\Program Files\PopCap Games
2008-02-28 17:11:47 0 d-------- C:\Program Files\Zuma Deluxe
2008-02-27 17:56:03 0 d-------- C:\Users\Effaney\LimeWire Shared
2008-02-27 12:10:10 614400 -r-hs---- C:\Windows\xcopy32.exe
2008-02-26 14:15:53 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 14:15:26 0 d-------- C:\Program Files\Windows Live
2008-02-26 14:14:27 0 d-------- C:\Users\All Users\WLInstaller
2008-02-25 22:44:37 0 d-------- C:\Users\All Users\PopCap Games
2008-02-25 22:43:11 0 d-------- C:\Program Files\Yahoo! Games
2008-02-21 13:52:22 164352 --a------ C:\Windows\system32\unrar.dll
2008-02-21 13:52:19 217088 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-02-21 13:52:19 159839 --a------ C:\Windows\system32\xvidvfw.dll
2008-02-21 13:52:19 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-02-21 13:52:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-02-21 13:52:18 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 13:52:16 682496 --a------ C:\Windows\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 13:52:15 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-02-21 13:52:13 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-02-19 08:19:39 0 d-------- C:\Program Files\PCPitstop
2008-02-15 14:37:43 0 d-------- C:\Program Files\ATI Technologies
2008-02-15 14:37:39 0 d-------- C:\Program Files\ATI
2008-02-11 15:30:25 0 d-------- C:\My Games
2008-02-11 15:27:13 0 d-------- C:\Program Files\RealArcade
2008-02-06 16:55:42 0 d-------- C:\Users\Effaney\LimeWire Store Purchased
2008-02-05 22:57:59 0 d-------- C:\Program Files\Norton 360
2008-02-05 22:52:59 0 d-------- C:\Program Files\Symantec
2008-02-05 22:52:52 0 d-------- C:\Users\All Users\Symantec
2008-02-05 22:51:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:34:32 1158 --a------ C:\Windows\mozver.dat
2008-02-04 16:25:51 0 --a------ C:\Windows\nsreg.dat
2008-01-30 08:27:46 0 d-------- C:\Users\All Users\Lavasoft
2008-01-30 08:26:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-02-29 23:34:28 12 --a------ C:\Windows\bthservsdp.dat
2008-02-29 22:22:27 0 d-------- C:\Program Files\Common Files
2008-02-29 20:58:03 0 d-------- C:\Users\Effaney\AppData\Roaming\Malwarebytes
2008-02-29 00:53:04 0 d-------- C:\Users\Effaney\AppData\Roaming\LimeWire
2008-02-28 02:30:03 0 d-------- C:\Users\Effaney\AppData\Roaming\WeatherDPA
2008-02-21 19:12:40 0 d-------- C:\Users\Effaney\AppData\Roaming\Media Player Classic
2008-02-20 12:48:24 2110 --a------ C:\Users\Effaney\AppData\Roaming\wklnhst.dat
2008-02-13 10:49:20 0 d-------- C:\Program Files\Maxima-5.14.0
2008-02-11 15:53:37 0 d-------- C:\Users\Effaney\AppData\Roaming\BloodTies
2008-02-09 09:33:26 0 d-------- C:\Users\Effaney\AppData\Roaming\PictureTrail
2008-02-06 16:51:03 0 d-------- C:\Program Files\LimeWire
2008-02-06 10:28:21 0 d-------- C:\Users\Effaney\AppData\Roaming\Symantec
2008-02-04 16:25:48 0 d-------- C:\Users\Effaney\AppData\Roaming\Mozilla
2008-02-04 16:06:36 0 d-------- C:\Program Files\DivX
2008-02-04 14:05:07 0 d-------- C:\Users\Effaney\AppData\Roaming\Move Networks
2008-02-03 21:20:04 0 d-------- C:\Users\Effaney\AppData\Roaming\Opera
2008-01-30 08:27:47 0 d-------- C:\Program Files\Lavasoft
2008-01-28 07:25:41 0 d-------- C:\Program Files\Real
2008-01-28 07:14:36 0 d-------- C:\Program Files\Coupons
2008-01-27 08:33:27 0 d-------- C:\Users\Effaney\AppData\Roaming\Adobe
2008-01-24 14:18:47 122824 --a------ C:\Windows\hpoins14.dat
2008-01-24 14:15:52 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-24 14:15:20 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 14:10:48 0 d-------- C:\Program Files\HP
2008-01-09 10:30:28 0 d-------- C:\Program Files\Windows Mail
2008-01-09 10:24:51 0 d-------- C:\Program Files\Windows Sidebar
2007-12-31 22:04:26 0 d-------- C:\Users\Effaney\AppData\Roaming\UseNeXT
2007-12-31 17:40:43 0 d-------- C:\Program Files\PANTECH


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/12/2007 04:33 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/19/2006 06:37 PM]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [10/23/2006 10:40 PM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [10/09/2006 10:43 PM]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [11/16/2006 06:04 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/11/2007 12:52 PM]
"DropBoxUtility"="C:\Program Files\DropBox\DropBox\DropBox.exe" [12/02/2007 04:26 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 06:35 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 06:36 AM]
"WeatherDPA"="C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" []

C:\Users\Effaney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [11/8/2007 6:51:12 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-02-29 23:41:09 ------------



Folder move failed. C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\plugins scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\components scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango\bin\10.3.35.0\firefox scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango\bin\10.3.35.0 scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango\bin scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Zango scheduled to be moved on reboot.
File move failed. C:\Windows\xcopy32.exe scheduled to be moved on reboot.
File move failed. C:\Windows\svchost.exe scheduled to be moved on reboot.
C:\Users\Effaney\AppData\Roaming\Zango moved successfully.
Folder move failed. C:\Program Files\Coupons scheduled to be moved on reboot.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 02292008_205345



Malwarebytes' Anti-Malware 1.05
Database version: 435

Scan type: Full Scan (C:\|D:\|H:\|)
Objects scanned: 171240
Time elapsed: 1 hour(s), 23 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 71
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\chilkat.email2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4643a87-99a0-4404-9bc5-2322bdd61637} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a46e5261-9956-4767-88ca-dfced050d09e} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7ec2cd3-9941-4fd4-9d01-105dc16a4313} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.email2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.mailman2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.mailman2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.emailbundle2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkat.emailbundle2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{06544919-f559-4ae5-9001-f903bd8a84e6} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51a0888c-9970-44de-8c2c-835ba870d06f} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5acae4b8-62d9-4124-a58a-9b1258b77e99} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7d37ded8-1945-4e42-a3fd-b9620e0ad8e3} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c4c23b78-db98-444c-b601-dcac6ebbec54} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ccb7fb40-99ec-4678-9202-52798da78aba} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-992c-4462-a27d-ebe604ec3a48} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1df3afed-99e0-4474-9900-954b8fd24e86} (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d00aa2a-69ef-487a-8a40-b3e27f07c91e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86c5840b-80c4-4c30-a655-37344a542009} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0cb585f-3271-4e42-88d9-ae5c9330d554} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{14113b47-d59c-4f0f-9d10-ff1730265584} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9c42a57-421c-4572-8b12-249c59183d1c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5b6fa30-d317-41ca-9cb1-c898d3c7f34e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc19a5f2-b4ad-41d5-a5c9-0680904c1483} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62906e60-bce2-4e1b-9ed0-8b9042ee15e4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9bfa98d-9935-4ea4-a05a-72c7f0778f02} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\zangosa (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\instie.hbinstobj (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\instie.hbinstobj.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\[email protected] (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\components (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\plugins (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\mxpvct25.dat (Trojan.AdWare.AntiSpamBoy) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\CoreSrv.dll (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\arrow.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\CntntCntr.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\copyright.txt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\HostOL.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\link.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\Srv.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\Toolbar.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\Wallpaper.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\WeSkin.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\ZangoSA.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\ZangoSAAX.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\ZangoSADF.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\ZangoSAHook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\ZangoUninstaller.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\chrome.manifest (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\install.rdf (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\components\npclntax.xpt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.35.0\firefox\extensions\plugins\npclntax_ZangoSA.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Reset Cursor.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Weather.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Customer Support Center.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Games!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Library.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Screensavers!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zango\Zango Videos!.lnk (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
  • 0

#8
Rorschach112
Posted 01 March 2008 - 05:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
One file is refusing to go

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#9
cota33
Posted 01 March 2008 - 09:36 AM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-03-01.3 - Effaney 2008-03-01 9:26:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.239 [GMT -6:00]
Running from: C:\Users\Effaney\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\AutoRun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 20:58 . 2008-02-29 20:58 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-29 18:58 . 2008-02-29 18:58 <DIR> d-------- C:\_OTMoveIt
2008-02-29 16:22 . 2008-02-29 16:22 <DIR> d-------- C:\Deckard
2008-02-29 16:21 . 2008-02-29 16:21 <DIR> d-------- C:\BackUpMSNCleaner
2008-02-28 22:26 . 2008-02-28 22:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:13 . 2008-02-28 17:13 <DIR> d-------- C:\Program Files\PopCap Games
2008-02-28 17:11 . 2008-02-28 17:12 <DIR> d-------- C:\Program Files\Zuma Deluxe
2008-02-28 02:30 . 2008-02-28 02:30 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\WeatherDPA
2008-02-27 17:56 . 2008-02-27 17:56 <DIR> d-------- C:\Users\Effaney\LimeWire Shared
2008-02-27 12:10 . 2008-02-09 13:36 614,400 -r-hs---- C:\Windows\xcopy32.exe
2008-02-26 14:15 . 2008-02-26 14:28 <DIR> d-------- C:\Program Files\Windows Live
2008-02-26 14:15 . 2008-02-26 14:24 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 14:14 . 2008-02-28 15:02 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-02-26 14:14 . 2008-02-28 15:02 <DIR> d-------- C:\ProgramData\WLInstaller
2008-02-25 22:44 . 2008-02-25 22:44 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-02-25 22:44 . 2008-02-25 22:44 <DIR> d-------- C:\ProgramData\PopCap Games
2008-02-25 22:43 . 2008-02-25 22:43 <DIR> d-------- C:\Program Files\Yahoo! Games
2008-02-21 19:12 . 2008-02-21 19:12 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Media Player Classic
2008-02-21 13:52 . 2008-02-21 13:52 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-19 08:19 . 2008-02-19 08:19 <DIR> d-------- C:\Program Files\PCPitstop
2008-02-15 14:37 . 2008-02-15 14:42 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-15 14:37 . 2008-02-15 14:37 <DIR> d-------- C:\Program Files\ATI
2008-02-13 11:22 . 2008-02-13 11:22 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 11:22 . 2008-02-13 11:22 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 11:16 . 2008-02-13 11:16 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 11:16 . 2008-02-13 11:16 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 11:16 . 2008-02-13 11:16 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 11:16 . 2008-02-13 11:16 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 11:16 . 2008-02-13 11:16 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 11:16 . 2008-02-13 11:16 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 11:16 . 2008-02-13 11:16 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-13 11:15 . 2008-02-13 11:15 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 11:15 . 2008-02-13 11:15 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 11:15 . 2008-02-13 11:15 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 11:15 . 2008-02-13 11:15 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 11:15 . 2008-02-13 11:15 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 11:14 . 2008-02-13 11:14 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 11:14 . 2008-02-13 11:14 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 11:09 . 2008-02-13 11:09 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-11 15:53 . 2008-02-11 15:53 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\BloodTies
2008-02-11 15:30 . 2008-02-13 10:48 <DIR> d-------- C:\My Games
2008-02-11 15:28 . 2008-02-13 10:50 <DIR> d-------- C:\Users\Public\RealArcade
2008-02-11 15:27 . 2008-02-13 10:50 <DIR> d-------- C:\Program Files\RealArcade
2008-02-06 16:55 . 2008-02-06 16:55 <DIR> d-------- C:\Users\Effaney\LimeWire Store Purchased
2008-02-06 10:28 . 2008-02-06 10:28 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Symantec
2008-02-06 00:32 . 2008-01-12 18:32 23,904 --a------ C:\Windows\System32\drivers\COH_Mon.sys
2008-02-06 00:32 . 2008-01-15 09:54 10,537 --a------ C:\Windows\System32\drivers\COH_Mon.cat
2008-02-06 00:32 . 2008-01-15 05:28 706 --a------ C:\Windows\System32\drivers\COH_Mon.inf
2008-02-06 00:16 . 2007-07-17 12:21 186,256 --a------ C:\Windows\System32\SymNPPWA.dll
2008-02-05 23:55 . 2008-02-05 23:55 16 --a------ C:\Windows\System32\coh.cache
2008-02-05 22:57 . 2008-02-06 07:14 <DIR> d-------- C:\Program Files\Norton 360
2008-02-05 22:56 . 2008-02-06 00:14 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-02-05 22:56 . 2008-02-06 00:14 10,740 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-02-05 22:56 . 2008-02-06 00:14 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-02-05 22:52 . 2008-02-28 22:42 <DIR> d-------- C:\Users\All Users\Symantec
2008-02-05 22:52 . 2008-02-28 22:42 <DIR> d-------- C:\ProgramData\Symantec
2008-02-05 22:52 . 2008-02-06 00:14 <DIR> d-------- C:\Program Files\Symantec
2008-02-05 22:51 . 2008-02-25 19:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:34 . 2008-02-04 16:34 1,158 --a------ C:\Windows\mozver.dat
2008-02-04 16:25 . 2008-02-04 16:25 0 --a------ C:\Windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 00:04 --------- d---a-w C:\ProgramData\TEMP
2008-02-29 06:53 --------- d-----w C:\Users\Effaney\AppData\Roaming\LimeWire
2008-02-20 18:48 2,110 ----a-w C:\Users\Effaney\AppData\Roaming\wklnhst.dat
2008-02-13 17:16 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 17:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 17:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 17:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 17:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 17:12 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 17:12 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 17:12 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 17:12 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 16:49 --------- d-----w C:\Program Files\Maxima-5.14.0
2008-02-09 15:33 --------- d-----w C:\Users\Effaney\AppData\Roaming\PictureTrail
2008-02-06 22:51 --------- d-----w C:\Program Files\LimeWire
2008-02-04 22:06 --------- d-----w C:\Program Files\DivX
2008-02-04 20:05 --------- d-----w C:\Users\Effaney\AppData\Roaming\Move Networks
2008-01-30 14:29 --------- d-----w C:\ProgramData\Lavasoft
2008-01-30 14:27 --------- d-----w C:\Program Files\Lavasoft
2008-01-30 14:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 13:25 --------- d-----w C:\Program Files\Real
2008-01-28 13:14 --------- d-----w C:\Program Files\Coupons
2008-01-24 20:18 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-01-24 20:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-24 20:15 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 20:10 --------- d-----w C:\Program Files\HP
2008-01-24 20:07 --------- d-----w C:\ProgramData\HP
2008-01-21 03:28 --------- d-sh--r C:\ProgramData\MSNCS
2008-01-10 19:16 159,839 ----a-w C:\Windows\System32\xvidvfw.dll
2008-01-10 19:15 755,027 ----a-w C:\Windows\System32\xvidcore.dll
2008-01-09 16:30 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 16:25 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 16:25 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 16:24 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 16:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-01 04:04 --------- d-----w C:\Users\Effaney\AppData\Roaming\UseNeXT
2007-12-24 19:49 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2007-12-14 17:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-13 13:54 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 13:54 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 13:54 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-04 08:33 682,496 ----a-w C:\Windows\System32\divx.dll
2007-08-29 12:23 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"WeatherDPA"="C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 04:33 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-12-19 18:37 815104]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2006-10-23 22:40 1429504]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 22:43 729088]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 18:04 2348584]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-11 12:52 286720]
"DropBoxUtility"="C:\Program Files\DropBox\DropBox\DropBox.exe" [2007-12-02 16:26 258048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Users\Effaney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-11-08 18:51:12 1697072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2892041139-1299931428-456275225-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2892041139-1299931428-456275225-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EBEBFDC8-3565-4AAB-8D48-24CB087CC817}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5602D868-5C56-4F39-AF9C-BE6BCDC27D1E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{60E0F3EB-8E9C-414D-8D4B-5F0E1E81B62A}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4710AFC4-2D16-420A-94D7-7CE50AFDDA61}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{12B469C2-B0E7-497F-9251-07F62CB0DCA2}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F37682DB-A18B-432B-AA02-0B770D4C56A2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{31AAD32C-35A5-4453-9845-52410A893B69}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{444493A6-6BD7-422F-997F-77FA0329DA8B}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{963594F5-957F-47E3-89CA-09A3DB9CE1C3}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{30489867-05B7-457E-A693-0CF076288523}"= UDP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{A8AF94BC-8AE3-4E38-9D68-F7189B4F62EA}"= TCP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{9B88E86D-D7D6-472B-B734-B0FD6AC1C5DE}"= UDP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{4CA08D83-A6F3-4257-A126-7461A467F18C}"= TCP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{6BD029E5-1303-4E8E-A28C-D5AE4218A14D}"= UDP:6331:Windows Live OneCare
"{CFA576EA-1D8E-40F6-A3D7-1B628E34F07B}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{77B1B9C2-6E04-4E9D-904D-3357B623D7CE}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B3342962-F6C7-4A39-97C4-CA526E487C00}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 09:23]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080227.001\IDSvix86.sys [2008-02-13 10:18]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;C:\Windows\system32\DRIVERS\PTDMBus.sys [2007-08-17 19:56]
R3 PTDMMdm;PANTECH USB Modem Drivers ;C:\Windows\system32\DRIVERS\PTDMMdm.sys [2007-08-17 19:56]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;C:\Windows\system32\DRIVERS\PTDMVsp.sys [2007-08-17 19:56]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;C:\Windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-17 19:56]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-12-27 11:08]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 14:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-10-23 21:40]
S3 mr97310c;CIF Dual-Mode Camera;C:\Windows\system32\DRIVERS\mr97310c.sys [2005-04-11 14:26]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 01:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 01:35:07 C:\Windows\Tasks\User_Feed_Synchronization-{867125CB-E4F1-4A03-99C8-55D6561E1B7C}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 09:30:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 9:31:24
ComboFix-quarantined-files.txt 2008-03-01 15:31:22
.
2008-03-01 00:09:56 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:58 AM, on 3/1/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MT6451
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFEBB90-F23F-4A38-A03F-858285E72F4D}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 8494 bytes
  • 0

#10
Rorschach112
Posted 02 March 2008 - 08:44 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\xcopy32.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also tell me how your PC is running
  • 0

Advertisements

#11
cota33
Posted 02 March 2008 - 09:22 AM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
My PC is running better than it was, still slow and some pop ups but not near as many as before. When I go to open up IE I get an error message "cannot find '::{2559A1F4-21D7-11D4-BDAF-00C04F60B0FO}' when I hit OK on that box my ei opens. here is the latest log:ComboFix 08-03-01.3 - Effaney 2008-03-02 9:09:21.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.256 [GMT -6:00]
Running from: C:\Users\Effaney\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-02-29 20:58 . 2008-02-29 20:58 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-02-29 20:57 . 2008-02-29 20:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-29 18:58 . 2008-02-29 18:58 <DIR> d-------- C:\_OTMoveIt
2008-02-29 16:22 . 2008-02-29 16:22 <DIR> d-------- C:\Deckard
2008-02-29 16:21 . 2008-02-29 16:21 <DIR> d-------- C:\BackUpMSNCleaner
2008-02-28 22:26 . 2008-02-28 22:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 17:13 . 2008-02-28 17:13 <DIR> d-------- C:\Program Files\PopCap Games
2008-02-28 17:11 . 2008-02-28 17:12 <DIR> d-------- C:\Program Files\Zuma Deluxe
2008-02-28 02:30 . 2008-02-28 02:30 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\WeatherDPA
2008-02-27 17:56 . 2008-02-27 17:56 <DIR> d-------- C:\Users\Effaney\LimeWire Shared
2008-02-27 12:10 . 2008-02-09 13:36 614,400 -r-hs---- C:\Windows\xcopy32.exe
2008-02-26 14:15 . 2008-02-26 14:28 <DIR> d-------- C:\Program Files\Windows Live
2008-02-26 14:15 . 2008-02-26 14:24 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 14:14 . 2008-02-28 15:02 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-02-26 14:14 . 2008-02-28 15:02 <DIR> d-------- C:\ProgramData\WLInstaller
2008-02-25 22:44 . 2008-02-25 22:44 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-02-25 22:44 . 2008-02-25 22:44 <DIR> d-------- C:\ProgramData\PopCap Games
2008-02-25 22:43 . 2008-02-25 22:43 <DIR> d-------- C:\Program Files\Yahoo! Games
2008-02-21 19:12 . 2008-02-21 19:12 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Media Player Classic
2008-02-21 13:52 . 2008-02-21 13:52 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-19 08:19 . 2008-02-19 08:19 <DIR> d-------- C:\Program Files\PCPitstop
2008-02-15 14:37 . 2008-02-15 14:42 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-15 14:37 . 2008-02-15 14:37 <DIR> d-------- C:\Program Files\ATI
2008-02-13 11:22 . 2008-02-13 11:22 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 11:22 . 2008-02-13 11:22 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 11:16 . 2008-02-13 11:16 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 11:16 . 2008-02-13 11:16 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 11:16 . 2008-02-13 11:16 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 11:16 . 2008-02-13 11:16 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 11:16 . 2008-02-13 11:16 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 11:16 . 2008-02-13 11:16 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 11:16 . 2008-02-13 11:16 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-02-13 11:15 . 2008-02-13 11:15 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 11:15 . 2008-02-13 11:15 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 11:15 . 2008-02-13 11:15 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 11:15 . 2008-02-13 11:15 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 11:15 . 2008-02-13 11:15 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 11:14 . 2008-02-13 11:14 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 11:14 . 2008-02-13 11:14 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-13 11:09 . 2008-02-13 11:09 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-11 15:53 . 2008-02-11 15:53 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\BloodTies
2008-02-11 15:30 . 2008-02-13 10:48 <DIR> d-------- C:\My Games
2008-02-11 15:28 . 2008-02-13 10:50 <DIR> d-------- C:\Users\Public\RealArcade
2008-02-11 15:27 . 2008-02-13 10:50 <DIR> d-------- C:\Program Files\RealArcade
2008-02-06 16:55 . 2008-02-06 16:55 <DIR> d-------- C:\Users\Effaney\LimeWire Store Purchased
2008-02-06 10:28 . 2008-02-06 10:28 <DIR> d-------- C:\Users\Effaney\AppData\Roaming\Symantec
2008-02-06 00:32 . 2008-01-12 18:32 23,904 --a------ C:\Windows\System32\drivers\COH_Mon.sys
2008-02-06 00:32 . 2008-01-15 09:54 10,537 --a------ C:\Windows\System32\drivers\COH_Mon.cat
2008-02-06 00:32 . 2008-01-15 05:28 706 --a------ C:\Windows\System32\drivers\COH_Mon.inf
2008-02-06 00:16 . 2007-07-17 12:21 186,256 --a------ C:\Windows\System32\SymNPPWA.dll
2008-02-05 23:55 . 2008-02-05 23:55 16 --a------ C:\Windows\System32\coh.cache
2008-02-05 22:57 . 2008-02-06 07:14 <DIR> d-------- C:\Program Files\Norton 360
2008-02-05 22:56 . 2008-02-06 00:14 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-02-05 22:56 . 2008-02-06 00:14 10,740 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-02-05 22:56 . 2008-02-06 00:14 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-02-05 22:52 . 2008-02-28 22:42 <DIR> d-------- C:\Users\All Users\Symantec
2008-02-05 22:52 . 2008-02-28 22:42 <DIR> d-------- C:\ProgramData\Symantec
2008-02-05 22:52 . 2008-02-06 00:14 <DIR> d-------- C:\Program Files\Symantec
2008-02-05 22:51 . 2008-02-25 19:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:34 . 2008-02-04 16:34 1,158 --a------ C:\Windows\mozver.dat
2008-02-04 16:25 . 2008-02-04 16:25 0 --a------ C:\Windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 04:32 --------- d-----w C:\Users\Effaney\AppData\Roaming\LimeWire
2008-03-01 00:04 --------- d---a-w C:\ProgramData\TEMP
2008-02-20 18:48 2,110 ----a-w C:\Users\Effaney\AppData\Roaming\wklnhst.dat
2008-02-13 17:16 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-13 17:14 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 17:14 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 17:14 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 17:14 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 17:12 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 17:12 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 17:12 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 17:12 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-13 16:49 --------- d-----w C:\Program Files\Maxima-5.14.0
2008-02-09 15:33 --------- d-----w C:\Users\Effaney\AppData\Roaming\PictureTrail
2008-02-06 22:51 --------- d-----w C:\Program Files\LimeWire
2008-02-04 22:06 --------- d-----w C:\Program Files\DivX
2008-02-04 20:05 --------- d-----w C:\Users\Effaney\AppData\Roaming\Move Networks
2008-01-30 14:29 --------- d-----w C:\ProgramData\Lavasoft
2008-01-30 14:27 --------- d-----w C:\Program Files\Lavasoft
2008-01-30 14:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 13:25 --------- d-----w C:\Program Files\Real
2008-01-28 13:14 --------- d-----w C:\Program Files\Coupons
2008-01-24 20:18 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-01-24 20:15 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-24 20:15 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 20:10 --------- d-----w C:\Program Files\HP
2008-01-24 20:07 --------- d-----w C:\ProgramData\HP
2008-01-21 03:28 --------- d-sh--r C:\ProgramData\MSNCS
2008-01-10 19:16 159,839 ----a-w C:\Windows\System32\xvidvfw.dll
2008-01-10 19:15 755,027 ----a-w C:\Windows\System32\xvidcore.dll
2008-01-09 16:30 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 16:25 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 16:25 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 16:24 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 16:24 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-24 19:49 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2007-12-14 17:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-13 13:54 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 13:54 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 13:54 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-04 08:33 682,496 ----a-w C:\Windows\System32\divx.dll
2007-08-29 12:23 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"WeatherDPA"="C:\Program Files\Zango\bin\10.3.35.0\Weather.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 04:33 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-12-19 18:37 815104]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2006-10-23 22:40 1429504]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 22:43 729088]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 18:04 2348584]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"Windows Mobile-based device management"="%windir%\WindowsMobile\wmdc.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-11 12:52 286720]
"DropBoxUtility"="C:\Program Files\DropBox\DropBox\DropBox.exe" [2007-12-02 16:26 258048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Users\Effaney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
VZAccess Manager.lnk - C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-11-08 18:51:12 1697072]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2892041139-1299931428-456275225-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2892041139-1299931428-456275225-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EBEBFDC8-3565-4AAB-8D48-24CB087CC817}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5602D868-5C56-4F39-AF9C-BE6BCDC27D1E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{60E0F3EB-8E9C-414D-8D4B-5F0E1E81B62A}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4710AFC4-2D16-420A-94D7-7CE50AFDDA61}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{12B469C2-B0E7-497F-9251-07F62CB0DCA2}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F37682DB-A18B-432B-AA02-0B770D4C56A2}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{31AAD32C-35A5-4453-9845-52410A893B69}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{444493A6-6BD7-422F-997F-77FA0329DA8B}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{963594F5-957F-47E3-89CA-09A3DB9CE1C3}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 4.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{30489867-05B7-457E-A693-0CF076288523}"= UDP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{A8AF94BC-8AE3-4E38-9D68-F7189B4F62EA}"= TCP:C:\Program Files\uTorrent\utorrent.exe:µTorrent
"{9B88E86D-D7D6-472B-B734-B0FD6AC1C5DE}"= UDP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{4CA08D83-A6F3-4257-A126-7461A467F18C}"= TCP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{6BD029E5-1303-4E8E-A28C-D5AE4218A14D}"= UDP:6331:Windows Live OneCare
"{CFA576EA-1D8E-40F6-A3D7-1B628E34F07B}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{77B1B9C2-6E04-4E9D-904D-3357B623D7CE}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B3342962-F6C7-4A39-97C4-CA526E487C00}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 09:23]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080227.001\IDSvix86.sys [2008-02-13 10:18]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 03:45]
R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;C:\Windows\system32\DRIVERS\PTDMBus.sys [2007-08-17 19:56]
R3 PTDMMdm;PANTECH USB Modem Drivers ;C:\Windows\system32\DRIVERS\PTDMMdm.sys [2007-08-17 19:56]
R3 PTDMVsp;PANTECH USB Modem Serial Port ;C:\Windows\system32\DRIVERS\PTDMVsp.sys [2007-08-17 19:56]
R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;C:\Windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-17 19:56]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-12-27 11:08]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 14:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-10-23 21:40]
S3 mr97310c;CIF Dual-Mode Camera;C:\Windows\system32\DRIVERS\mr97310c.sys [2005-04-11 14:26]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 01:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 02:28:03 C:\Windows\Tasks\User_Feed_Synchronization-{867125CB-E4F1-4A03-99C8-55D6561E1B7C}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 09:13:40
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-02 9:14:45
ComboFix-quarantined-files.txt 2008-03-02 15:14:38
ComboFix2.txt 2008-03-01 15:31:25
.
2008-03-01 00:09:56 --- E O F ---
  • 0

#12
Rorschach112
Posted 02 March 2008 - 09:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Remind me about that error at the end

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Windows\xcopy32.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
  • 0

#13
cota33
Posted 02 March 2008 - 09:37 AM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK. The first page gave me this after it was analyzed.

File has already been analysed:
MD5: 7649bea0ac02d7fb0f260bedff5c517c
Date: 02.29.2008 15:21:40 (CET) [>2D]
Results: 14/32
Permalink: analisis/186d3b615ccbddc7902ba4eea244d8a8

I clicked on the permalink and got this:

File xcopy32.exe received on 02.29.2008 15:11:05 (CET)
Current status: finished

Result: 14/32 (43.75%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.67 2008.02.29 BDS/VB.JA.75
Authentium 4.93.8 2008.02.29 -
Avast 4.7.1098.0 2008.02.28 Win32:SdBot-5252
AVG 7.5.0.516 2008.02.29 Worm/Agobot.54.AD
BitDefender 7.2 2008.02.29 -
CAT-QuickHeal 9.50 2008.02.28 Backdoor.VB.ja
ClamAV 0.92.1 2008.02.29 -
DrWeb 4.44.0.09170 2008.02.29 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.02.29 -
FileAdvisor 1 2008.02.29 -
Fortinet 3.14.0.0 2008.02.29 -
F-Prot 4.4.2.54 2008.02.28 -
F-Secure 6.70.13260.0 2008.02.29 Backdoor.Win32.VB.ja
Ikarus T3.1.1.20 2008.02.29 Backdoor.Win32.Rbot.cqk
Kaspersky 7.0.0.125 2008.02.29 Backdoor.Win32.VB.ja
McAfee 5241 2008.02.28 -
Microsoft 1.3301 2008.02.29 Trojan:Win32/Malagent
NOD32v2 2911 2008.02.29 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.02.28 W32/P2PShared.E.worm
Prevx1 V2 2008.02.29 Trojan.SystemPoser
Rising 20.33.42.00 2008.02.29 -
Sophos 4.27.0 2008.02.29 Mal/Generic-A
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.02.29 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 Backdoor.Win32.VB.ja
VirusBuster 4.3.26:9 2008.02.28 Worm.SdBot.ZMS
Webwasher-Gateway 6.6.2 2008.02.29 Trojan.Backdoor.VB.JA.75
  • 0

#14
Rorschach112
Posted 02 March 2008 - 11:26 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#15
cota33
Posted 02 March 2008 - 04:30 PM

cota33

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This one I had a problem with. I downloaded the file. When I went to open it, the black box popped up for a split second but would not stay open. I tried running as administrator and allowing total access through the properties. There are also 2 exe files in the folder, but I didn't mess with those. One is catche.exe and the other is dummy.exe.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP