Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Laptop gone haywire with spyware! Please help me out [RESOLVED]


  • This topic is locked This topic is locked

#1
Beautyliciouz

Beautyliciouz

    Member

  • Member
  • PipPip
  • 51 posts
Here are my hijack log and uninstall list...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:06 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nicholle Brown\installer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: 0 - {442175FD-1C88-4999-E1BA-C1F815F9096F} - C:\Program Files\microsoft frontpage\qukax.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {74364AF1-DD8F-4D59-905B-7D901802B99F} - C:\Program Files\MSN\mexofalyt555077.dll (file missing)
O2 - BHO: BndAero6 IE Helper - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - C:\Program Files\QdrDrive\QdrDrive11.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {DA8850B0-E78F-40D4-939C-90597B45D5D1} - C:\Program Files\NetMeeting\lawid777444.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8195 bytes










Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AIM 6
Aim Plugin for QQ Games
AOL Uninstaller (Choose which Products to Remove)
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 7.5
Conexant AC-Link Audio
Data Fax SoftModem with SmartCP
HijackThis 2.0.2
HP Wireless Assistant 1.01 A2
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 2
Learn2 Player (Uninstall Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Money 2005
Microsoft Works
MSN
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.0 - SE
PhotoSuite 7 Platinum
Pure Networks Port Magic
QQ Games
Quick Launch Buttons 5.10 B2
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Spybot - Search & Destroy 1.4
STOPzilla
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Yahoo! Messenger
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Thank you SO much! Here are the notepad files...

SmitFraudFix v2.300

Scan done at 22:23:42.56, Sun 03/02/2008
Run from C:\Documents and Settings\Nicholle Brown\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\764.exe Deleted
C:\WINDOWS\7search.dll Deleted
C:\WINDOWS\absolute key logger.lnk Deleted
C:\WINDOWS\aconti.exe Deleted
C:\WINDOWS\aconti.ini Deleted
C:\WINDOWS\aconti.log Deleted
C:\WINDOWS\aconti.sdb Deleted
C:\WINDOWS\acontidialer.txt Deleted
C:\WINDOWS\adbar.dll Deleted
C:\WINDOWS\cbinst$.exe Deleted
C:\WINDOWS\daxtime.dll Deleted
C:\WINDOWS\dp0.dll Deleted
C:\WINDOWS\eventlowg.dll Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe Deleted
C:\WINDOWS\fhfmm.exe Deleted
C:\WINDOWS\flt.dll Deleted
C:\WINDOWS\hcwprn.exe Deleted
C:\WINDOWS\hotporn.exe Deleted
C:\WINDOWS\iexplorr23.dll Deleted
C:\WINDOWS\ie_32.exe Deleted
C:\WINDOWS\jd2002.dll Deleted
C:\WINDOWS\kkcomp$.exe Deleted
C:\WINDOWS\kkcomp.dll Deleted
C:\WINDOWS\kkcomp.exe Deleted
C:\WINDOWS\kvnab$.exe Deleted
C:\WINDOWS\kvnab.dll Deleted
C:\WINDOWS\kvnab.exe Deleted
C:\WINDOWS\liqad$.exe Deleted
C:\WINDOWS\liqad.dll Deleted
C:\WINDOWS\liqad.exe Deleted
C:\WINDOWS\liqui-Uninstaller.exe Deleted
C:\WINDOWS\liqui.dll Deleted
C:\WINDOWS\liqui.exe Deleted
C:\WINDOWS\ngd.dll Deleted
C:\WINDOWS\pbar.dll Deleted
C:\WINDOWS\pbsysie.dll Deleted
C:\WINDOWS\settn.dll Deleted
C:\WINDOWS\spredirect.dll Deleted
C:\WINDOWS\vxddsk.exe Deleted
C:\WINDOWS\wbeCheck.exe Deleted
C:\WINDOWS\wbeInst$.exe Deleted
C:\WINDOWS\wml.exe Deleted
C:\WINDOWS\xadbrk.dll Deleted
C:\WINDOWS\xadbrk.exe Deleted
C:\WINDOWS\xadbrk_.exe Deleted
C:\WINDOWS\xxxvideo.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\ESHOPEE.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
C:\WINDOWS\system32\vxddsk.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\wml.exe Deleted
C:\WINDOWS\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29130EA1-67E8-4457-BF78-09F264AB0F14}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29130EA1-67E8-4457-BF78-09F264AB0F14}: DhcpNameServer=68.87.73.242 68.87.71.226


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End











Deckard's System Scanner v20071014.68
Run by Nicholle Brown on 2008-03-02 22:56:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-03-03 03:56:22 UTC - RP71 - Deckard's System Scanner Restore Point
41: 2008-03-02 20:21:33 UTC - RP70 - Restore Operation
40: 2008-03-02 18:23:05 UTC - RP69 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
39: 2008-03-02 03:51:18 UTC - RP68 - Installed AVG 7.5
38: 2008-02-22 00:11:16 UTC - RP67 - System Checkpoint


-- First Restore Point --
1: 2008-01-03 19:31:52 UTC - RP30 - Configured easy Internet sign-up


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Nicholle Brown.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:01 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Documents and Settings\Nicholle Brown\installer.exe
C:\Documents and Settings\Nicholle Brown\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nicholle Brown.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: 0 - {442175FD-1C88-4999-E1BA-C1F815F9096F} - C:\Program Files\microsoft frontpage\qukax.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74364AF1-DD8F-4D59-905B-7D901802B99F} - C:\Program Files\MSN\mexofalyt555077.dll (file missing)
O2 - BHO: (no name) - {DA8850B0-E78F-40D4-939C-90597B45D5D1} - C:\Program Files\NetMeeting\lawid777444.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7032 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 szkg5 (szkg) - c:\windows\system32\drivers\szkg.sys <Not Verified; iS3 Inc.; Stopzilla>
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 szserver (STOPzilla Service) - "c:\program files\common files\is3\anti-spyware\szserver.exe" <Not Verified; iS3, Inc.; STOPzilla>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 AOL ACS (AOL Connectivity Service) - c:\progra~1\common~1\aol\acs\aolacsd.exe (file missing)
S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-02 22:58:01 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-02-02 and 2008-03-02 -----------------------------

2008-03-02 22:23:58 1084 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 15:30:53 0 d-------- C:\Program Files\Trend Micro
2008-03-02 13:26:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-02 13:24:06 0 d-------- C:\Program Files\STOPzilla!
2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files\iS3
2008-03-02 13:23:40 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-01 23:03:54 0 dr-h----- C:\$VAULT$.AVG
2008-03-01 22:51:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:47:44 487936 --a------ C:\Documents and Settings\Nicholle Brown\installer.exe <Not Verified; Awola Corporation; Awola Anti-Spyware>
2008-03-01 20:44:38 0 -rahs---- C:\MSDOS.SYS
2008-03-01 20:44:38 0 -rahs---- C:\IO.SYS
2008-03-01 20:34:20 0 --ahs---- C:\Documents and Settings\Nicholle Brown\Application Data\0000000000b925c42dc9f1d8d31f03ae6efe1f514b.dat
2008-03-01 20:05:27 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Awola
2008-03-01 20:02:22 13824 --a------ C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
2008-03-01 20:00:01 13824 --a------ C:\Ifpc.exe
2008-03-01 19:39:20 0 d-------- C:\Program Files\webHancer
2008-03-01 19:39:12 89107 --a------ C:\WINDOWS\ryfkxajy.exe <Not Verified; Microsoft; runbll>
2008-03-01 19:38:29 0 d-------- C:\Program Files\QdrPack
2008-03-01 19:38:12 0 d-------- C:\Program Files\QdrModule
2008-03-01 19:38:06 0 d-------- C:\Program Files\QdrDrive
2008-03-01 19:38:01 0 d-------- C:\Program Files\ISM
2008-03-01 10:56:22 278793 --a------ C:\WINDOWS\system32\000070.exe
2008-02-20 16:44:15 0 d-------- C:\Documents and Settings\Josh\Application Data\Macromedia
2008-02-20 16:44:13 0 d-------- C:\Documents and Settings\Josh\Application Data\Adobe
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Templates
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Start Menu
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\SendTo
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Recent
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\PrintHood
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\NetHood
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\My Documents
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Local Settings
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Favorites
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Desktop
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Cookies
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Application Data
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Symantec
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Application Data\Microsoft
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Identities
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Apple Computer
2008-02-20 16:32:56 696320 --a------ C:\Documents and Settings\Josh\NTUSER.DAT
2008-02-09 21:42:49 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Roxio
2008-02-09 21:24:55 0 d-------- C:\Program Files\Roxio
2008-02-09 21:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 21:24:43 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-09 12:24:47 6144 --a------ C:\WINDOWS\ons.dll
2008-02-09 12:24:41 6144 --a------ C:\info.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files
2008-03-02 11:04:56 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AVG7
2008-03-01 23:03:55 0 d-------- C:\Program Files\microsoft frontpage
2008-02-01 14:36:44 229376 -ra------ C:\WINDOWS\system32\SZBase5.dll <Not Verified; iS3, Inc.; STOPzilla>
2008-01-30 17:53:04 126976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:52:56 364544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:52:16 372736 -ra------ C:\WINDOWS\system32\IS3UI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:52:00 61440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:51:42 23040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:51:24 192512 -ra------ C:\WINDOWS\system32\IS3Win325.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:50:58 94208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:50:44 90112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-30 17:47:08 704512 -ra------ C:\WINDOWS\system32\IS3Base5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-01-04 09:57:52 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Adobe
2008-01-04 09:56:08 0 d-------- C:\Program Files\Yahoo!
2008-01-04 08:04:30 0 d-------- C:\Program Files\MSXML 4.0
2008-01-03 20:38:58 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Viewpoint
2008-01-03 20:34:45 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\QQ Games Plugin
2008-01-03 20:34:34 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\acccore
2008-01-03 20:33:04 0 d-------- C:\Program Files\AIM6
2008-01-03 20:28:34 0 d-------- C:\Program Files\Tencent
2008-01-03 20:24:47 0 d-------- C:\Program Files\Viewpoint
2008-01-03 20:23:26 0 d-------- C:\Program Files\Common Files\AOL
2008-01-03 20:10:23 0 d-------- C:\Program Files\support.com
2008-01-03 15:13:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 15:13:04 0 d-------- C:\Program Files\Symantec
2008-01-03 14:59:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-03 14:50:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 14:50:03 0 d-------- C:\Program Files\HPQ
2008-01-03 14:33:14 0 d-------- C:\Program Files\Easy Internet signup
2008-01-03 14:30:48 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AOL
2008-01-03 14:30:01 0 d-------- C:\Program Files\Common Files\aolshare
2008-01-03 14:29:59 0 d-------- C:\Program Files\America Online 9.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442175FD-1C88-4999-E1BA-C1F815F9096F}]
C:\Program Files\microsoft frontpage\qukax.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74364AF1-DD8F-4D59-905B-7D901802B99F}]
C:\Program Files\MSN\mexofalyt555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA8850B0-E78F-40D4-939C-90597B45D5D1}]
02/27/2008 08:54 PM 217088 --a------ C:\Program Files\NetMeeting\lawid777444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 12:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 07:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/02/2005 07:11 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2005 09:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 02:04 PM]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe" [03/01/2008 08:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154484575\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-03-02 23:01:32 ------------











Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 222.48 MiB / 50.9 MiB
Pagefile Memory (total/avail): 3303.49 MiB / 3009.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.03 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 24.62 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AT PL - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nicholle Brown\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC121997174214
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nicholle Brown
LOGONSERVER=\\PC121997174214
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NICHOL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NICHOL~1\LOCALS~1\Temp
USERDOMAIN=PC121997174214
USERNAME=Nicholle Brown
USERPROFILE=C:\Documents and Settings\Nicholle Brown
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nicholle Brown (admin)
Josh


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Aim Plugin for QQ Games --> C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C\HXFSETUP.EXE -U -IVEN_1002&DEV_4378&SUBSYS_3091103C
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Wireless Assistant 1.01 A2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
muvee autoProducer 4.0 - SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe" -l0x9
PhotoSuite 7 Platinum --> MsiExec.exe /I{75F41CC1-D089-4881-93FF-68FD1C256FE4}
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QQ Games --> C:\Program Files\Tencent\QQ Games\Uninstall.EXE
Quick Launch Buttons 5.10 B2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
STOPzilla --> MsiExec.exe /X{02DF19A9-DBAC-44E1-A018-D1AA7EBFAD36}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{612DC38A-B36A-4699-88EB-12C7394DE2FC} /l1033
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type1076 / Error
Event Submitted/Written: 03/02/2008 09:20:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module lawid777444.dll, version 0.0.0.0, fault address 0x000067a6.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1069 / Error
Event Submitted/Written: 03/02/2008 03:27:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application STOPzilla.exe, version 5.0.7.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1062 / Error
Event Submitted/Written: 03/02/2008 03:07:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1055 / Error
Event Submitted/Written: 03/02/2008 01:30:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application whagent.exe, version 4.2.3.0, faulting module unknown, version 0.0.0.0, fault address 0x020d2b90.
Processing media-specific event for [whagent.exe!ws!]

Event Record #/Type1054 / Error
Event Submitted/Written: 03/02/2008 01:29:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application is3updater.exe, version 5.0.7.1, faulting module unknown, version 0.0.0.0, fault address 0x019b2b90.
Processing media-specific event for [is3updater.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6628 / Error
Event Submitted/Written: 03/02/2008 10:41:30 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AliIde
IntelIde
ViaIde

Event Record #/Type6627 / Error
Event Submitted/Written: 03/02/2008 10:41:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AOL Connectivity Service service failed to start due to the following error:
%%2

Event Record #/Type6623 / Error
Event Submitted/Written: 03/02/2008 10:36:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type6622 / Error
Event Submitted/Written: 03/02/2008 10:34:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6621 / Error
Event Submitted/Written: 03/02/2008 10:33:57 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-03-02 23:01:32 ------------
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe

  • Click Open.
  • Click Post.
Thank you!



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: 0 - {442175FD-1C88-4999-E1BA-C1F815F9096F} - C:\Program Files\microsoft frontpage\qukax.dll (file missing)
O2 - BHO: (no name) - {74364AF1-DD8F-4D59-905B-7D901802B99F} - C:\Program Files\MSN\mexofalyt555077.dll (file missing)
O2 - BHO: (no name) - {DA8850B0-E78F-40D4-939C-90597B45D5D1} - C:\Program Files\NetMeeting\lawid777444.dll
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Nicholle Brown\installer.exe
    C:\Documents and Settings\Nicholle Brown\Application Data\Awola
    C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe
    C:\Ifpc.exe
    C:\Program Files\webHancer
    C:\WINDOWS\ryfkxajy.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrModule
    C:\Program Files\QdrDrive
    C:\Program Files\ISM
    C:\WINDOWS\system32\000070.exe
    C:\WINDOWS\ons.dll
    C:\info.exe
    C:\Program Files\Tencent
    C:\Program Files\NetMeeting\lawid777444.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#5
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
The MoveIt program kept freezing up when I tried to move the files. It kept getting stuck on the WINDOWS\ons.dll file....so I had to remove that one for it to work. Below are the results along with the dss log...





File/Folder C:\Documents and Settings\Nicholle Brown\installer.exe not found.
File/Folder C:\Documents and Settings\Nicholle Brown\Application Data\Awola not found.
File/Folder C:\Documents and Settings\Nicholle Brown\Application Data\gnpuy.exe not found.
File/Folder C:\Ifpc.exe not found.
File/Folder C:\Program Files\webHancer not found.
File/Folder C:\WINDOWS\ryfkxajy.exe not found.
File/Folder C:\Program Files\QdrPack not found.
File/Folder C:\Program Files\QdrModule not found.
File/Folder C:\Program Files\QdrDrive not found.
File/Folder C:\Program Files\ISM not found.
File/Folder C:\WINDOWS\system32\000070.exe not found.
C:\info.exe moved successfully.
C:\Program Files\Tencent\QQ Games\Update\Res moved successfully.
C:\Program Files\Tencent\QQ Games\Update moved successfully.
C:\Program Files\Tencent\QQ Games\ui moved successfully.
C:\Program Files\Tencent\QQ Games\Storage moved successfully.
C:\Program Files\Tencent\QQ Games\Socket moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ToolTip moved successfully.
C:\Program Files\Tencent\QQ Games\Res\TitlIcon moved successfully.
C:\Program Files\Tencent\QQ Games\Res\TipDlg moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Sound moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Social moved successfully.
C:\Program Files\Tencent\QQ Games\Res\SelfInfo moved successfully.
C:\Program Files\Tencent\QQ Games\Res\roomitem moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Room\GIPanel moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Room moved successfully.
C:\Program Files\Tencent\QQ Games\Res\qqshow\avct moved successfully.
C:\Program Files\Tencent\QQ Games\Res\qqshow moved successfully.
C:\Program Files\Tencent\QQ Games\Res\QQAVShow moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Qg2003\skindlg moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Qg2003\MainWin moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Qg2003\button moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Qg2003 moved successfully.
C:\Program Files\Tencent\QQ Games\Res\PluginGameIcons moved successfully.
C:\Program Files\Tencent\QQ Games\Res\playerinfopanel moved successfully.
C:\Program Files\Tencent\QQ Games\Res\MainWin\web moved successfully.
C:\Program Files\Tencent\QQ Games\Res\MainWin\Tray moved successfully.
C:\Program Files\Tencent\QQ Games\Res\MainWin\Button moved successfully.
C:\Program Files\Tencent\QQ Games\Res\MainWin\Border moved successfully.
C:\Program Files\Tencent\QQ Games\Res\MainWin moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Login\Update moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Login\Cirpro moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Login\Button moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Login moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ItemShop moved successfully.
C:\Program Files\Tencent\QQ Games\Res\GAShow moved successfully.
C:\Program Files\Tencent\QQ Games\Res\GameShow moved successfully.
C:\Program Files\Tencent\QQ Games\Res\FrameDlg moved successfully.
C:\Program Files\Tencent\QQ Games\Res\face moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ExchangeMoney moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Download\LafPgs moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Download moved successfully.
C:\Program Files\Tencent\QQ Games\Res\DirIcons\Status moved successfully.
C:\Program Files\Tencent\QQ Games\Res\DirIcons\AolView\clientBtns moved successfully.
C:\Program Files\Tencent\QQ Games\Res\DirIcons\AolView moved successfully.
C:\Program Files\Tencent\QQ Games\Res\DirIcons moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ComplainRoom moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\Tree2 moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tip\TopRight moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tip\TopLeft moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tip\BottomRight moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tip\BottomLeft moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tip moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\tab moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\splitter moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\scroll moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\msgbox moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\menu moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\list moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\icon moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\dialog\itemshop moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\dialog moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\cursor moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common\button moved successfully.
C:\Program Files\Tencent\QQ Games\Res\Common moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ChannAdi\AdMiniGa moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ChannAdi\AddinMgr moved successfully.
C:\Program Files\Tencent\QQ Games\Res\ChannAdi moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins\Waiting moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins\Match moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins\GraRom moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins\Chat moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins\AvatarRoom moved successfully.
C:\Program Files\Tencent\QQ Games\Res\CAAddins moved successfully.
C:\Program Files\Tencent\QQ Games\Res\AD\inst\installer moved successfully.
C:\Program Files\Tencent\QQ Games\Res\AD\inst\images moved successfully.
C:\Program Files\Tencent\QQ Games\Res\AD\inst moved successfully.
C:\Program Files\Tencent\QQ Games\Res\AD moved successfully.
C:\Program Files\Tencent\QQ Games\Res moved successfully.
C:\Program Files\Tencent\QQ Games\ProtHand moved successfully.
C:\Program Files\Tencent\QQ Games\Plugin moved successfully.
C:\Program Files\Tencent\QQ Games\logic\Parsers moved successfully.
C:\Program Files\Tencent\QQ Games\logic\ChanAdd moved successfully.
C:\Program Files\Tencent\QQ Games\logic\CAAddins moved successfully.
C:\Program Files\Tencent\QQ Games\logic moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\zh-cn moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\en-us\DailyTip\tips moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\en-us\DailyTip\images\tips moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\en-us\DailyTip\images moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\en-us\DailyTip moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes\en-us moved successfully.
C:\Program Files\Tencent\QQ Games\LocalizationRes moved successfully.
C:\Program Files\Tencent\QQ Games\Games moved successfully.
C:\Program Files\Tencent\QQ Games\config\Users moved successfully.
C:\Program Files\Tencent\QQ Games\config\Original moved successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\DirBlock moved successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic moved successfully.
C:\Program Files\Tencent\QQ Games\config moved successfully.
C:\Program Files\Tencent\QQ Games\Common moved successfully.
C:\Program Files\Tencent\QQ Games moved successfully.
C:\Program Files\Tencent moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\NetMeeting\lawid777444.dll
C:\Program Files\NetMeeting\lawid777444.dll NOT unregistered.
C:\Program Files\NetMeeting\lawid777444.dll moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 03032008_114248









Deckard's System Scanner v20071014.68
Run by Nicholle Brown on 2008-03-03 11:43:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Nicholle Brown.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:27 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nicholle Brown\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NICHOL~1.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Nicholle Brown\Application Data\Awola\Awola.exe" /MIN
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6588 bytes

-- Files created between 2008-02-03 and 2008-03-03 -----------------------------

2008-03-03 11:22:45 290816 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-03-03 08:54:26 32512 --a------ C:\WINDOWS\system32\msole32.exe
2008-03-03 08:54:25 23040 --a------ C:\WINDOWS\settn.dll
2008-03-03 08:54:25 27392 --a------ C:\WINDOWS\kvnab.exe
2008-03-03 08:54:25 13056 --a------ C:\WINDOWS\kvnab.dll
2008-03-03 08:54:25 19456 --a------ C:\WINDOWS\kvnab$.exe
2008-03-03 08:54:24 24064 --a------ C:\WINDOWS\wbeCheck.exe
2008-03-03 08:54:24 27904 --a------ C:\WINDOWS\pbsysie.dll
2008-03-03 08:54:24 31744 --a------ C:\WINDOWS\hcwprn.exe
2008-03-03 08:54:23 16896 --a------ C:\WINDOWS\wbeInst$.exe
2008-03-03 08:54:23 22528 --a------ C:\WINDOWS\iexplorr23.dll
2008-03-03 08:54:22 11008 --a------ C:\WINDOWS\system32\ace16win.dll
2008-03-03 08:54:21 17408 --a------ C:\WINDOWS\system32\wml.exe
2008-03-03 08:54:21 30976 --a------ C:\WINDOWS\system32\vxddsk.exe
2008-03-03 08:54:21 23296 --a------ C:\WINDOWS\flt.dll
2008-03-03 08:54:20 12800 --a------ C:\WINDOWS\764.exe
2008-03-03 08:54:19 0 d-------- C:\Program Files\3721
2008-03-03 08:52:18 0 d-------- C:\Program Files\Accoona
2008-03-03 08:18:19 22784 --a------ C:\WINDOWS\eventlowg.dll
2008-03-03 08:18:18 30208 --a------ C:\WINDOWS\liqui.dll
2008-03-03 08:18:18 14592 --a------ C:\WINDOWS\daxtime.dll
2008-03-03 08:18:17 26880 --a------ C:\WINDOWS\xadbrk.exe
2008-03-03 08:18:17 11520 --a------ C:\WINDOWS\xadbrk.dll
2008-03-03 08:18:17 18944 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2008-03-03 08:18:17 29440 --a------ C:\WINDOWS\liqui.exe
2008-03-03 08:18:17 11008 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2008-03-03 08:18:17 18176 --a------ C:\WINDOWS\fhfmm.exe
2008-03-03 08:18:16 30720 --a------ C:\WINDOWS\xadbrk_.exe
2008-03-03 08:18:16 25600 --a------ C:\WINDOWS\kkcomp.exe
2008-03-03 08:18:16 19968 --a------ C:\WINDOWS\kkcomp.dll
2008-03-03 08:18:15 10240 --a------ C:\WINDOWS\liqad.exe
2008-03-03 08:18:15 24576 --a------ C:\WINDOWS\liqad.dll
2008-03-03 08:18:15 13824 --a------ C:\WINDOWS\liqad$.exe
2008-03-03 08:18:15 13568 --a------ C:\WINDOWS\kkcomp$.exe
2008-03-03 08:18:14 9216 --a------ C:\WINDOWS\cbinst$.exe
2008-03-03 08:18:13 29952 --a------ C:\WINDOWS\adbar.dll
2008-03-03 08:18:12 24320 --a------ C:\WINDOWS\system32\ESHOPEE.exe
2008-03-03 08:18:12 26368 --a------ C:\WINDOWS\spredirect.dll
2008-03-03 08:18:12 15104 --a------ C:\WINDOWS\jd2002.dll
2008-03-03 08:18:11 0 d-------- C:\Program Files\e-zshopper
2008-03-03 08:18:10 0 d-------- C:\Program Files\amsys
2008-03-03 08:18:09 9728 --a------ C:\WINDOWS\ie_32.exe
2008-03-03 08:18:09 15872 --a------ C:\WINDOWS\aconti.exe
2008-03-03 08:18:08 12032 --a------ C:\WINDOWS\xxxvideo.exe
2008-03-03 08:18:08 0 d-------- C:\WINDOWS\system32\acespy
2008-03-03 08:18:08 9728 --a------ C:\WINDOWS\ngd.dll
2008-03-03 08:18:08 19968 --a------ C:\WINDOWS\hotporn.exe
2008-03-03 08:18:08 20480 --a------ C:\WINDOWS\dp0.dll
2008-03-03 08:18:07 0 d-------- C:\Program Files\p2pnetworks
2008-03-03 08:18:05 32000 --a------ C:\WINDOWS\vxddsk.exe
2008-03-03 08:18:05 0 d-------- C:\Program Files\akl
2008-03-03 08:18:04 26368 --a------ C:\WINDOWS\wml.exe
2008-03-03 08:18:04 25856 --a------ C:\WINDOWS\7search.dll
2008-03-03 08:18:03 27136 --a------ C:\WINDOWS\pbar.dll
2008-03-03 08:02:58 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-02 22:23:58 1084 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 15:30:53 0 d-------- C:\Program Files\Trend Micro
2008-03-02 13:26:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files\iS3
2008-03-02 13:23:40 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-01 23:03:54 0 dr-h----- C:\$VAULT$.AVG
2008-03-01 22:51:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:44:38 0 -rahs---- C:\MSDOS.SYS
2008-03-01 20:44:38 0 -rahs---- C:\IO.SYS
2008-03-01 20:34:20 0 --ahs---- C:\Documents and Settings\Nicholle Brown\Application Data\0000000000b925c42dc9f1d8d31f03ae6efe1f514b.dat
2008-02-20 16:44:15 0 d-------- C:\Documents and Settings\Josh\Application Data\Macromedia
2008-02-20 16:44:13 0 d-------- C:\Documents and Settings\Josh\Application Data\Adobe
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Templates
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Start Menu
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\SendTo
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Recent
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\PrintHood
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\NetHood
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\My Documents
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Local Settings
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Favorites
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Desktop
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Cookies
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Application Data
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Symantec
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Application Data\Microsoft
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Identities
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Apple Computer
2008-02-20 16:32:56 696320 --a------ C:\Documents and Settings\Josh\NTUSER.DAT
2008-02-09 21:42:49 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Roxio
2008-02-09 21:24:55 0 d-------- C:\Program Files\Roxio
2008-02-09 21:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 21:24:43 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-09 12:24:47 6144 --a------ C:\WINDOWS\ons.dll
2008-02-09 12:24:41 89105 --a------ C:\WINDOWS\system32\mgmrwmrv.exe <Not Verified; Microsoft; runbll>


-- Find3M Report ---------------------------------------------------------------

2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files
2008-03-02 11:04:56 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AVG7
2008-03-01 23:03:55 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 09:57:52 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Adobe
2008-01-04 09:56:08 0 d-------- C:\Program Files\Yahoo!
2008-01-04 08:04:30 0 d-------- C:\Program Files\MSXML 4.0
2008-01-03 20:38:58 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Viewpoint
2008-01-03 20:34:45 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\QQ Games Plugin
2008-01-03 20:34:34 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\acccore
2008-01-03 20:33:04 0 d-------- C:\Program Files\AIM6
2008-01-03 20:24:47 0 d-------- C:\Program Files\Viewpoint
2008-01-03 20:23:26 0 d-------- C:\Program Files\Common Files\AOL
2008-01-03 20:10:23 0 d-------- C:\Program Files\support.com
2008-01-03 15:13:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 15:13:04 0 d-------- C:\Program Files\Symantec
2008-01-03 14:59:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-03 14:50:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 14:50:03 0 d-------- C:\Program Files\HPQ
2008-01-03 14:33:14 0 d-------- C:\Program Files\Easy Internet signup
2008-01-03 14:30:48 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AOL
2008-01-03 14:30:01 0 d-------- C:\Program Files\Common Files\aolshare
2008-01-03 14:29:59 0 d-------- C:\Program Files\America Online 9.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 12:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 07:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/02/2005 07:11 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2005 09:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 02:04 PM]
"Awola"="C:\Documents and Settings\Nicholle Brown\Application Data\Awola\Awola.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154484575\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-03-03 11:45:28 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete SmitfraudFix.exe and it's folder then do this again

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Also post a new DSS log
  • 0

#7
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
SmitFraudFix v2.300

Scan done at 12:32:02.20, Mon 03/03/2008
Run from C:\Documents and Settings\Nicholle Brown\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\764.exe Deleted
C:\WINDOWS\7search.dll Deleted
C:\WINDOWS\absolute key logger.lnk Deleted
C:\WINDOWS\aconti.exe Deleted
C:\WINDOWS\aconti.ini Deleted
C:\WINDOWS\aconti.log Deleted
C:\WINDOWS\aconti.sdb Deleted
C:\WINDOWS\acontidialer.txt Deleted
C:\WINDOWS\adbar.dll Deleted
C:\WINDOWS\cbinst$.exe Deleted
C:\WINDOWS\daxtime.dll Deleted
C:\WINDOWS\default.htm Deleted
C:\WINDOWS\dp0.dll Deleted
C:\WINDOWS\eventlowg.dll Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe Deleted
C:\WINDOWS\fhfmm.exe Deleted
C:\WINDOWS\flt.dll Deleted
C:\WINDOWS\hcwprn.exe Deleted
C:\WINDOWS\hotporn.exe Deleted
C:\WINDOWS\iexplorr23.dll Deleted
C:\WINDOWS\ie_32.exe Deleted
C:\WINDOWS\jd2002.dll Deleted
C:\WINDOWS\kkcomp$.exe Deleted
C:\WINDOWS\kkcomp.dll Deleted
C:\WINDOWS\kkcomp.exe Deleted
C:\WINDOWS\kvnab$.exe Deleted
C:\WINDOWS\kvnab.dll Deleted
C:\WINDOWS\kvnab.exe Deleted
C:\WINDOWS\liqad$.exe Deleted
C:\WINDOWS\liqad.dll Deleted
C:\WINDOWS\liqad.exe Deleted
C:\WINDOWS\liqui-Uninstaller.exe Deleted
C:\WINDOWS\liqui.dll Deleted
C:\WINDOWS\liqui.exe Deleted
C:\WINDOWS\ngd.dll Deleted
C:\WINDOWS\pbar.dll Deleted
C:\WINDOWS\pbsysie.dll Deleted
C:\WINDOWS\settn.dll Deleted
C:\WINDOWS\spredirect.dll Deleted
C:\WINDOWS\vxddsk.exe Deleted
C:\WINDOWS\wbeCheck.exe Deleted
C:\WINDOWS\wbeInst$.exe Deleted
C:\WINDOWS\wml.exe Deleted
C:\WINDOWS\xadbrk.dll Deleted
C:\WINDOWS\xadbrk.exe Deleted
C:\WINDOWS\xadbrk_.exe Deleted
C:\WINDOWS\xxxvideo.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\ESHOPEE.exe Deleted
C:\WINDOWS\system32\mgmrwmrv.exe Deleted
C:\WINDOWS\system32\msole32.exe Deleted
C:\WINDOWS\system32\vxddsk.exe Deleted
C:\WINDOWS\system32\winfrun32.bin Deleted
C:\WINDOWS\system32\wml.exe Deleted
C:\WINDOWS\system32\acespy\ Deleted
C:\Program Files\3721\ Deleted
C:\Program Files\Accoona\ Deleted
C:\Program Files\akl\ Deleted
C:\Program Files\amsys\ Deleted
C:\Program Files\e-zshopper\ Deleted
C:\Program Files\p2pnetworks\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29130EA1-67E8-4457-BF78-09F264AB0F14}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{29130EA1-67E8-4457-BF78-09F264AB0F14}: DhcpNameServer=68.87.73.242 68.87.71.226


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End














Deckard's System Scanner v20071014.68
Run by Nicholle Brown on 2008-03-03 12:52:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Nicholle Brown.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:39 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nicholle Brown\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NICHOL~1.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Nicholle Brown\Application Data\Awola\Awola.exe" /MIN
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4852 bytes

-- Files created between 2008-02-03 and 2008-03-03 -----------------------------

2008-03-03 11:22:45 290816 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-03-02 22:23:58 1084 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 15:30:53 0 d-------- C:\Program Files\Trend Micro
2008-03-02 13:26:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files\iS3
2008-03-02 13:23:40 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-01 23:03:54 0 dr-h----- C:\$VAULT$.AVG
2008-03-01 22:51:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:44:38 0 -rahs---- C:\MSDOS.SYS
2008-03-01 20:44:38 0 -rahs---- C:\IO.SYS
2008-03-01 20:34:20 0 --ahs---- C:\Documents and Settings\Nicholle Brown\Application Data\0000000000b925c42dc9f1d8d31f03ae6efe1f514b.dat
2008-02-20 16:44:15 0 d-------- C:\Documents and Settings\Josh\Application Data\Macromedia
2008-02-20 16:44:13 0 d-------- C:\Documents and Settings\Josh\Application Data\Adobe
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Templates
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Start Menu
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\SendTo
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Recent
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\PrintHood
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\NetHood
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\My Documents
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Local Settings
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Favorites
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Desktop
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Cookies
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Application Data
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Symantec
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Application Data\Microsoft
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Identities
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Apple Computer
2008-02-20 16:32:56 696320 --a------ C:\Documents and Settings\Josh\NTUSER.DAT
2008-02-09 21:42:49 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Roxio
2008-02-09 21:24:55 0 d-------- C:\Program Files\Roxio
2008-02-09 21:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 21:24:43 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-09 12:24:47 6144 --a------ C:\WINDOWS\ons.dll


-- Find3M Report ---------------------------------------------------------------

2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files
2008-03-02 11:04:56 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AVG7
2008-03-01 23:03:55 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 09:57:52 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Adobe
2008-01-04 09:56:08 0 d-------- C:\Program Files\Yahoo!
2008-01-04 08:04:30 0 d-------- C:\Program Files\MSXML 4.0
2008-01-03 20:38:58 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Viewpoint
2008-01-03 20:34:45 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\QQ Games Plugin
2008-01-03 20:34:34 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\acccore
2008-01-03 20:33:04 0 d-------- C:\Program Files\AIM6
2008-01-03 20:24:47 0 d-------- C:\Program Files\Viewpoint
2008-01-03 20:23:26 0 d-------- C:\Program Files\Common Files\AOL
2008-01-03 20:10:23 0 d-------- C:\Program Files\support.com
2008-01-03 15:13:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 15:13:04 0 d-------- C:\Program Files\Symantec
2008-01-03 14:59:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-03 14:50:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 14:50:03 0 d-------- C:\Program Files\HPQ
2008-01-03 14:33:14 0 d-------- C:\Program Files\Easy Internet signup
2008-01-03 14:30:48 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AOL
2008-01-03 14:30:01 0 d-------- C:\Program Files\Common Files\aolshare
2008-01-03 14:29:59 0 d-------- C:\Program Files\America Online 9.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 12:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 07:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/02/2005 07:11 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2005 09:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 02:04 PM]
"Awola"="C:\Documents and Settings\Nicholle Brown\Application Data\Awola\Awola.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154484575\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-03-03 12:53:28 ------------
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\ons.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Nicholle Brown\Application Data\Awola\Awola.exe" /MIN


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\mgmrwmrv.exe
    C:\Documents and Settings\Nicholle Brown\Application Data\Awola
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#9
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Here is the virustotal log, moveit log, and dss:



Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.03 -
AntiVir 7.6.0.73 2008.03.03 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.02 -
Avast 4.7.1098.0 2008.03.03 -
AVG 7.5.0.516 2008.03.03 -
BitDefender 7.2 2008.03.03 -
CAT-QuickHeal 9.50 2008.03.03 -
ClamAV 0.92.1 2008.03.03 -
DrWeb 4.44.0.09170 2008.03.03 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5582 2008.03.03 -
Ewido 4.0 2008.03.03 -
FileAdvisor 1 2008.03.03 -
Fortinet 3.14.0.0 2008.03.03 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.03 -
Ikarus T3.1.1.20 2008.03.03 -
Kaspersky 7.0.0.125 2008.03.03 -
McAfee 5243 2008.03.03 -
Microsoft 1.3301 2008.03.03 -
NOD32v2 2918 2008.03.03 -
Norman 5.80.02 2008.03.03 -
Panda 9.0.0.4 2008.03.03 Suspicious file
Prevx1 V2 2008.03.03 TROJAN.AGENT.GEN
Rising 20.34.02.00 2008.03.03 -
Sophos 4.27.0 2008.03.03 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.03 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.03 -
Webwasher-Gateway 6.6.2 2008.03.03 Trojan.Crypt.XPACK.Gen
Additional information
File size: 6144 bytes
MD5: a28984cd595e488e9faf15191840e3c0
SHA1: 2d258cc0a308135ad0fdebb48fecd22b60769508
PEiD: -
packers: PE_Patch.Stolen
Prevx info: http://info.prevx.co...23D9E00173815A2








File/Folder C:\WINDOWS\system32\mgmrwmrv.exe not found.
File/Folder C:\Documents and Settings\Nicholle Brown\Application Data\Awola not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 03032008_201533










Deckard's System Scanner v20071014.68
Run by Nicholle Brown on 2008-03-03 20:20:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Nicholle Brown.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:49 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Nicholle Brown\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NICHOL~1.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4629 bytes

-- Files created between 2008-02-03 and 2008-03-03 -----------------------------

2008-03-03 11:22:45 290816 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-03-02 22:23:58 1084 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 15:30:53 0 d-------- C:\Program Files\Trend Micro
2008-03-02 13:26:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files\iS3
2008-03-02 13:23:40 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-01 23:03:54 0 dr-h----- C:\$VAULT$.AVG
2008-03-01 22:51:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:44:38 0 -rahs---- C:\MSDOS.SYS
2008-03-01 20:44:38 0 -rahs---- C:\IO.SYS
2008-03-01 20:34:20 0 --ahs---- C:\Documents and Settings\Nicholle Brown\Application Data\0000000000b925c42dc9f1d8d31f03ae6efe1f514b.dat
2008-02-20 16:44:15 0 d-------- C:\Documents and Settings\Josh\Application Data\Macromedia
2008-02-20 16:44:13 0 d-------- C:\Documents and Settings\Josh\Application Data\Adobe
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Templates
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Start Menu
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\SendTo
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Recent
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\PrintHood
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\NetHood
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\My Documents
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Local Settings
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Favorites
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Desktop
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Cookies
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Application Data
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Symantec
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Application Data\Microsoft
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Identities
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Apple Computer
2008-02-20 16:32:56 696320 --a------ C:\Documents and Settings\Josh\NTUSER.DAT
2008-02-09 21:42:49 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Roxio
2008-02-09 21:24:55 0 d-------- C:\Program Files\Roxio
2008-02-09 21:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 21:24:43 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-09 12:24:47 6144 --a------ C:\WINDOWS\ons.dll


-- Find3M Report ---------------------------------------------------------------

2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files
2008-03-02 11:04:56 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AVG7
2008-03-01 23:03:55 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 09:57:52 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Adobe
2008-01-04 09:56:08 0 d-------- C:\Program Files\Yahoo!
2008-01-04 08:04:30 0 d-------- C:\Program Files\MSXML 4.0
2008-01-03 20:38:58 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Viewpoint
2008-01-03 20:34:45 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\QQ Games Plugin
2008-01-03 20:34:34 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\acccore
2008-01-03 20:33:04 0 d-------- C:\Program Files\AIM6
2008-01-03 20:24:47 0 d-------- C:\Program Files\Viewpoint
2008-01-03 20:23:26 0 d-------- C:\Program Files\Common Files\AOL
2008-01-03 20:10:23 0 d-------- C:\Program Files\support.com
2008-01-03 15:13:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 15:13:04 0 d-------- C:\Program Files\Symantec
2008-01-03 14:59:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-03 14:50:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 14:50:03 0 d-------- C:\Program Files\HPQ
2008-01-03 14:33:14 0 d-------- C:\Program Files\Easy Internet signup
2008-01-03 14:30:48 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AOL
2008-01-03 14:30:01 0 d-------- C:\Program Files\Common Files\aolshare
2008-01-03 14:29:59 0 d-------- C:\Program Files\America Online 9.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 12:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 07:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/02/2005 07:11 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2005 09:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 02:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154484575\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-03-03 20:21:35 ------------
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\ons.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\ons.dll

  • Click Open.
  • Click Post.
Thank you!



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\ons.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a new DSS log by using Add/Reply
  • 0

#11
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\ons.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.











Deckard's System Scanner v20071014.68
Run by Nicholle Brown on 2008-03-03 21:18:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Nicholle Brown.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:20 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nicholle Brown\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NICHOL~1.EXE
C:\Program Files\AIM6\aolsoftware.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sublimeme...upplierID=10006
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4684 bytes

-- Files created between 2008-02-03 and 2008-03-03 -----------------------------

2008-03-03 11:22:45 290816 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-03-02 22:23:58 1084 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 15:30:53 0 d-------- C:\Program Files\Trend Micro
2008-03-02 13:26:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files\iS3
2008-03-02 13:23:40 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-03-01 23:03:54 0 dr-h----- C:\$VAULT$.AVG
2008-03-01 22:51:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:44:38 0 -rahs---- C:\MSDOS.SYS
2008-03-01 20:44:38 0 -rahs---- C:\IO.SYS
2008-03-01 20:34:20 0 --ahs---- C:\Documents and Settings\Nicholle Brown\Application Data\0000000000b925c42dc9f1d8d31f03ae6efe1f514b.dat
2008-02-20 16:44:15 0 d-------- C:\Documents and Settings\Josh\Application Data\Macromedia
2008-02-20 16:44:13 0 d-------- C:\Documents and Settings\Josh\Application Data\Adobe
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Templates
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Start Menu
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\SendTo
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Recent
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\PrintHood
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\NetHood
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\My Documents
2008-02-20 16:32:57 0 d--h----- C:\Documents and Settings\Josh\Local Settings
2008-02-20 16:32:57 0 dr------- C:\Documents and Settings\Josh\Favorites
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Desktop
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Cookies
2008-02-20 16:32:57 0 dr-h----- C:\Documents and Settings\Josh\Application Data
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Symantec
2008-02-20 16:32:57 0 d---s---- C:\Documents and Settings\Josh\Application Data\Microsoft
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Identities
2008-02-20 16:32:57 0 d-------- C:\Documents and Settings\Josh\Application Data\Apple Computer
2008-02-20 16:32:56 696320 --a------ C:\Documents and Settings\Josh\NTUSER.DAT
2008-02-09 21:42:49 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Roxio
2008-02-09 21:24:55 0 d-------- C:\Program Files\Roxio
2008-02-09 21:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-02-09 21:24:43 0 d-------- C:\Program Files\Common Files\Roxio Shared


-- Find3M Report ---------------------------------------------------------------

2008-03-02 13:23:58 0 d-------- C:\Program Files\Common Files
2008-03-02 11:04:56 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AVG7
2008-03-01 23:03:55 0 d-------- C:\Program Files\microsoft frontpage
2008-01-04 09:57:52 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Adobe
2008-01-04 09:56:08 0 d-------- C:\Program Files\Yahoo!
2008-01-04 08:04:30 0 d-------- C:\Program Files\MSXML 4.0
2008-01-03 20:38:58 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\Viewpoint
2008-01-03 20:34:45 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\QQ Games Plugin
2008-01-03 20:34:34 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\acccore
2008-01-03 20:33:04 0 d-------- C:\Program Files\AIM6
2008-01-03 20:24:47 0 d-------- C:\Program Files\Viewpoint
2008-01-03 20:23:26 0 d-------- C:\Program Files\Common Files\AOL
2008-01-03 20:10:23 0 d-------- C:\Program Files\support.com
2008-01-03 15:13:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 15:13:04 0 d-------- C:\Program Files\Symantec
2008-01-03 14:59:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-03 14:50:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 14:50:03 0 d-------- C:\Program Files\HPQ
2008-01-03 14:33:14 0 d-------- C:\Program Files\Easy Internet signup
2008-01-03 14:30:48 0 d-------- C:\Documents and Settings\Nicholle Brown\Application Data\AOL
2008-01-03 14:30:01 0 d-------- C:\Program Files\Common Files\aolshare
2008-01-03 14:29:59 0 d-------- C:\Program Files\America Online 9.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/11/2005 12:00 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 07:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02/02/2005 07:11 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 03:24 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/17/2005 04:01 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/06/2005 09:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 02:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154484575\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-03-03 21:20:18 ------------
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Delete any tools that we used


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
Beautyliciouz

Beautyliciouz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Thank you so much for taking the time to help me and supply me with this great information so that hopefully this doesn't happen again. Thanks!
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP