Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antispywareupdates.net victim [RESOLVED]


  • This topic is locked This topic is locked

#16
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No worries

Do this

Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
  • 0

Advertisements


#17
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Whenever I try to do anything other that fast reply I get an error and it shuts the webpage. So it wont let me add it onto the post.

Edit: I can do it from work, so it's going to have to wait until Monday.


I do appreciate your help.

Edited by 1bigray, 07 March 2008 - 10:26 AM.

  • 0

#18
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you upload the zip file to a site like

www.mediafire.com

You should be able to do that ok with fast reply
  • 0

#19
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
here it is

http://www.mediafire.com/?ddozib5wac0
  • 0

#20
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download the zipped attachment at the end of this post(this will be your runscanner as fixed by me)

  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • Click on the "Item Fixer" tab
  • You will notice several entries with a tick in red, click Fix checked.
  • Accept the warning then repeat until they are all gone.


Then reboot your PC and post a new DSS log and tell me how your PC is running
  • 0

#21
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Deckard's System Scanner v20071014.68
Run by Amy on 2008-03-07 20:52:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 4.03 GiB (less than 15%) free.


-- HijackThis (run as Amy.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:17 PM, on 3/7/08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRAM FILES\QuickTime\qttask.exe
C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Amy\Desktop\dss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Amy\Desktop\Amy.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\PROGRAM FILES\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185340200695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185332238829
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.lln...eck_1_0_0_4.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://copecam.ourli...yerWeb11gv2.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\PROGRAM FILES\COMMON FILES\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe

--
End of file - 5651 bytes

-- Files created between 2008-02-07 and 2008-03-07 -----------------------------

2008-03-06 20:06:59 0 d-------- C:\Documents and Settings\Amy\Application Data\Runscanner.net
2008-03-04 21:09:41 0 d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-03-04 21:09:18 0 d-------- C:\PROGRAM FILES\Malwarebytes' Anti-Malware
2008-03-04 21:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-03 17:47:06 2904 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-03 17:08:14 0 d--hs---- C:\FOUND.001
2008-03-02 13:35:59 0 d-------- C:\PROGRAM FILES\Enigma Software Group
2008-03-02 08:48:35 0 dr-h----- C:\$VAULT$.AVG
2008-03-02 08:36:19 138752 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2008-03-02 08:36:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 08:36:10 0 d-------- C:\Documents and Settings\Amy\Application Data\Spyware Terminator
2008-03-02 08:35:54 0 d-------- C:\PROGRAM FILES\Spyware Terminator
2008-03-02 07:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-21 16:38:40 0 d-------- C:\3e0d865f827caed8f177caeebe849b
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-21 16:36:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-21 16:36:25 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-21 15:06:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-21 14:39:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-21 14:04:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-19 21:38:29 0 d-------- C:\WINDOWS\Prefetch
2008-02-16 17:35:10 0 d-------- C:\WINDOWS\RegCure
2008-02-16 10:00:15 0 d-------- C:\dea74a5bd43d8bd7209bf289790991
2008-02-14 19:23:01 0 d-------- C:\Documents and Settings\Amy\Application Data\{AC84089A-4614-4D65-9C7F-C70274C17586}
2008-02-14 19:21:32 0 d-------- C:\PROGRAM FILES\XP Repair Pro 2007
2008-02-11 17:51:40 0 d-------- C:\PROGRAM FILES\Warez
2008-02-10 20:45:55 0 d-------- C:\050bc7405e3389cf38ed8bb96b26
2008-02-10 20:11:48 0 d-------- C:\2205df5f95f866c0a81246
2008-02-09 20:08:40 200704 --a------ C:\WINDOWS\System32\muzwmts.dll <Not Verified; © MusicCity; P3WMTSplitter Filter>
2008-02-09 20:08:40 167936 --a------ C:\WINDOWS\System32\muzapp.exe <Not Verified; Musiccity Co.Ltd.; MUZAoDApp Module>
2008-02-09 20:08:39 237568 --a------ C:\WINDOWS\System32\OggDS.dll <Not Verified; ; Ogg DirectShow™ Filter Collection>
2008-02-09 20:08:39 45056 --a------ C:\WINDOWS\System32\Ogg.dll
2008-02-09 20:08:39 471040 --a------ C:\WINDOWS\System32\muzapp.dll <Not Verified; Musiccity Co.Ltd.; MUZAoDAppCtrl Module>
2008-02-09 20:08:39 135168 --a------ C:\WINDOWS\System32\muzaf1.dll <Not Verified; Musiccity Co.Ltd.; muzaf1>
2008-02-09 20:08:15 921600 --a------ C:\WINDOWS\System32\vorbisenc.dll
2008-02-09 20:08:15 188416 --a------ C:\WINDOWS\System32\vorbis.dll
2008-02-09 20:08:15 110592 --a------ C:\WINDOWS\System32\tg_dump.dll <Not Verified; ENJsoft Corporation; SelfMusicVideo Filter>
2008-02-09 20:08:05 82432 --a------ C:\WINDOWS\System32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-02-09 20:08:05 44544 --a------ C:\WINDOWS\System32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-02-09 20:08:05 1233920 --a------ C:\WINDOWS\System32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP 2>
2008-02-09 20:07:56 0 d-------- C:\PROGRAM FILES\MarkAny
2008-02-09 20:07:55 0 d-------- C:\PROGRAM FILES\Samsung
2008-02-09 19:51:13 1689600 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-09 19:51:12 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-03-07 20:50:56 4830968 --ah----- C:\Documents and Settings\Amy\Application Data\IconCache.db
2008-03-01 20:23:32 8704 --a------ C:\Documents and Settings\Amy\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-20 07:06:00 16 --a------ C:\WINDOWS\popcinfo.dat
2008-02-19 21:16:40 22780 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-02-17 10:03:26 39008 --a------ C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2008-02-15 18:20:12 4 --a------ C:\WINDOWS\System32\D9B749
2008-02-01 08:40:32 110592 --a------ C:\WINDOWS\System32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-02-01 08:40:32 40960 --a------ C:\WINDOWS\System32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-01-26 05:36:10 0 d-------- C:\PROGRAM FILES\MyFree Codec
2008-01-26 05:33:16 0 d-------- C:\PROGRAM FILES\COMMON FILES\Real
2008-01-26 05:32:58 0 d-------- C:\Documents and Settings\Amy\Application Data\DataCast
2008-01-26 05:29:18 0 d-------- C:\PROGRAM FILES\Best Buy Rhapsody
2008-01-26 05:28:58 0 d-------- C:\Documents and Settings\Amy\Application Data\Real
2008-01-20 22:38:20 0 d-------- C:\Documents and Settings\Amy\Application Data\WinRAR
2008-01-20 22:21:56 0 d-------- C:\PROGRAM FILES\uTorrent
2008-01-20 22:21:52 0 d-------- C:\Documents and Settings\Amy\Application Data\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\PROGRAM FILES\QuickTime\qttask.exe" [04/27/07 09:41 AM]
"Adobe Reader Speed Launcher"="C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/23/01 04:00 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/23/01 04:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [09/20/07 05:21 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/21/08 03:06 PM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [03/02/08 08:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/23/01 12:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/04 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-03-07 20:56:21 ------------


Still cant do the fixreg trick, and task manager still disabled. other than that its running ok.
  • 0

#22
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Is this a work PC ?

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Reboot and post a new DSS log
  • 0

#23
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
NO, its a home pc, just about 8 years old.



Deckard's System Scanner v20071014.68
Run by Amy on 2008-03-08 08:27:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 4.03 GiB (less than 15%) free.


-- HijackThis (run as Amy.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:41 AM, on 3/8/08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRAM FILES\QuickTime\qttask.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Amy\Desktop\dss.exe
C:\DOCUME~1\Amy\Desktop\Amy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\PROGRAM FILES\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185340200695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185332238829
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.lln...eck_1_0_0_4.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://copecam.ourli...yerWeb11gv2.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\PROGRAM FILES\COMMON FILES\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe

--
End of file - 5394 bytes

-- Files created between 2008-02-08 and 2008-03-08 -----------------------------

2008-03-06 20:06:59 0 d-------- C:\Documents and Settings\Amy\Application Data\Runscanner.net
2008-03-04 21:09:41 0 d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-03-04 21:09:18 0 d-------- C:\PROGRAM FILES\Malwarebytes' Anti-Malware
2008-03-04 21:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-03 17:47:06 2904 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-03 17:08:14 0 d--hs---- C:\FOUND.001
2008-03-02 13:35:59 0 d-------- C:\PROGRAM FILES\Enigma Software Group
2008-03-02 08:48:35 0 dr-h----- C:\$VAULT$.AVG
2008-03-02 08:36:19 138752 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2008-03-02 08:36:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 08:36:10 0 d-------- C:\Documents and Settings\Amy\Application Data\Spyware Terminator
2008-03-02 08:35:54 0 d-------- C:\PROGRAM FILES\Spyware Terminator
2008-03-02 07:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-21 16:38:40 0 d-------- C:\3e0d865f827caed8f177caeebe849b
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-21 16:36:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-21 16:36:25 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-21 15:06:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-21 14:39:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-21 14:04:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-19 21:38:29 0 d-------- C:\WINDOWS\Prefetch
2008-02-16 17:35:10 0 d-------- C:\WINDOWS\RegCure
2008-02-16 10:00:15 0 d-------- C:\dea74a5bd43d8bd7209bf289790991
2008-02-14 19:23:01 0 d-------- C:\Documents and Settings\Amy\Application Data\{AC84089A-4614-4D65-9C7F-C70274C17586}
2008-02-14 19:21:32 0 d-------- C:\PROGRAM FILES\XP Repair Pro 2007
2008-02-11 17:51:40 0 d-------- C:\PROGRAM FILES\Warez
2008-02-10 20:45:55 0 d-------- C:\050bc7405e3389cf38ed8bb96b26
2008-02-10 20:11:48 0 d-------- C:\2205df5f95f866c0a81246
2008-02-09 20:08:40 200704 --a------ C:\WINDOWS\System32\muzwmts.dll <Not Verified; © MusicCity; P3WMTSplitter Filter>
2008-02-09 20:08:40 167936 --a------ C:\WINDOWS\System32\muzapp.exe <Not Verified; Musiccity Co.Ltd.; MUZAoDApp Module>
2008-02-09 20:08:39 237568 --a------ C:\WINDOWS\System32\OggDS.dll <Not Verified; ; Ogg DirectShow™ Filter Collection>
2008-02-09 20:08:39 45056 --a------ C:\WINDOWS\System32\Ogg.dll
2008-02-09 20:08:39 471040 --a------ C:\WINDOWS\System32\muzapp.dll <Not Verified; Musiccity Co.Ltd.; MUZAoDAppCtrl Module>
2008-02-09 20:08:39 135168 --a------ C:\WINDOWS\System32\muzaf1.dll <Not Verified; Musiccity Co.Ltd.; muzaf1>
2008-02-09 20:08:15 921600 --a------ C:\WINDOWS\System32\vorbisenc.dll
2008-02-09 20:08:15 188416 --a------ C:\WINDOWS\System32\vorbis.dll
2008-02-09 20:08:15 110592 --a------ C:\WINDOWS\System32\tg_dump.dll <Not Verified; ENJsoft Corporation; SelfMusicVideo Filter>
2008-02-09 20:08:05 82432 --a------ C:\WINDOWS\System32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-02-09 20:08:05 44544 --a------ C:\WINDOWS\System32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-02-09 20:08:05 1233920 --a------ C:\WINDOWS\System32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP 2>
2008-02-09 20:07:56 0 d-------- C:\PROGRAM FILES\MarkAny
2008-02-09 20:07:55 0 d-------- C:\PROGRAM FILES\Samsung
2008-02-09 19:51:13 1689600 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-09 19:51:12 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-03-07 21:40:00 4830968 --ah----- C:\Documents and Settings\Amy\Application Data\IconCache.db
2008-03-01 20:23:32 8704 --a------ C:\Documents and Settings\Amy\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-20 07:06:00 16 --a------ C:\WINDOWS\popcinfo.dat
2008-02-19 21:16:40 22780 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-02-17 10:03:26 39008 --a------ C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2008-02-15 18:20:12 4 --a------ C:\WINDOWS\System32\D9B749
2008-02-01 08:40:32 110592 --a------ C:\WINDOWS\System32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-02-01 08:40:32 40960 --a------ C:\WINDOWS\System32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-01-26 05:36:10 0 d-------- C:\PROGRAM FILES\MyFree Codec
2008-01-26 05:33:16 0 d-------- C:\PROGRAM FILES\COMMON FILES\Real
2008-01-26 05:32:58 0 d-------- C:\Documents and Settings\Amy\Application Data\DataCast
2008-01-26 05:29:18 0 d-------- C:\PROGRAM FILES\Best Buy Rhapsody
2008-01-26 05:28:58 0 d-------- C:\Documents and Settings\Amy\Application Data\Real
2008-01-20 22:38:20 0 d-------- C:\Documents and Settings\Amy\Application Data\WinRAR
2008-01-20 22:21:56 0 d-------- C:\PROGRAM FILES\uTorrent
2008-01-20 22:21:52 0 d-------- C:\Documents and Settings\Amy\Application Data\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\PROGRAM FILES\QuickTime\qttask.exe" [04/27/07 09:41 AM]
"Adobe Reader Speed Launcher"="C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/23/01 04:00 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/23/01 04:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [09/20/07 05:21 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/21/08 03:06 PM]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [03/02/08 08:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/23/01 12:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/04 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-03-08 08:28:51 ------------
  • 0

#24
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Check the box beside Scan All User Accounts at the top
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#25
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 9:41:31 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 620850
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
M:\
N:\

Scan Statistics:
Total number of scanned objects: 67786
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 02:54:16

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\1160681513.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BHO.ba skipped
C:\WINDOWS\SYSTEM32\1160681513.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.VB.y skipped
C:\WINDOWS\SYSTEM32\1160681513.exe/stream Infected: not-a-virus:AdWare.Win32.VB.y skipped
C:\WINDOWS\SYSTEM32\1160681513.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Temp\~DF9216.tmp Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Amy\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Amy\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Amy\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Amy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Amy\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Amy\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Amy\Application Data\Microsoft\Windows Live Mail desktop\[email protected]\Hotmail\Deleted Items\041132FB-00000017.eml/[From [email protected]][Date Thu, 02 Nov 2006 06:26:40 +0600]/CLICK_HERE_FOR_BEST_BUY_ONLINE_MED_SITE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Amy\Application Data\Microsoft\Windows Live Mail desktop\[email protected]\Hotmail\Deleted Items\041132FB-00000017.eml Mail: infected - 1 skipped
C:\Documents and Settings\Amy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Amy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\System Volume Information\_restore{2B3C680F-1FAC-4F1A-B36B-66D8C3C2AFC0}\RP35\change.log Object is locked skipped

Scan process completed.





Whenever I try to do anything other than fast reply my explorer shuts down, here is the link to the attachment.

http://www.mediafire.com/?5rz0quoptca
  • 0

Advertisements


#26
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> UserFaultCheck ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{43CDDD56-4323-4B8B-8AA8-229411D7BD14} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [AmeriRes Toolbar]
YN -> WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [@shdoclc.dll,-866]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [@shdoclc.dll,-866]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &eBay Search -> Reg Error: Value does not exist or could not be read.
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
[Files/Folders - Created Within 90 days]
YY -> FOUND.001 -> %SystemDrive%\FOUND.001
NY -> 1 C:\*.tmp files -> C:\*.tmp
YY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
YY -> ?ymbols -> %CommonProgramFiles%\ѕymbols
YY -> F?nts -> %CommonProgramFiles%\Fοnts
[Files/Folders - Modified Within 90 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> FOUND.001 -> %SystemDrive%\FOUND.001
NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
YY -> ?ymbols -> %CommonProgramFiles%\ѕymbols
YY -> F?nts -> %CommonProgramFiles%\Fοnts
[File - Purity Scan: Additional Folder Scans - Non-Microsoft Only]
YY -> C:\PROGRAM FILES\COMMON FILES\F?nts\ -> C:\PROGRAM FILES\COMMON FILES\Fοnts
YY -> C:\PROGRAM FILES\COMMON FILES\?ymbols\ -> C:\PROGRAM FILES\COMMON FILES\ѕymbols
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.



Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\1160681513.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#27
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Move it

C:\WINDOWS\SYSTEM32\1160681513.exe moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 03102008_171045

--------------------------

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
File not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit deleted successfully.
File not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{43CDDD56-4323-4B8B-8AA8-229411D7BD14} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43CDDD56-4323-4B8B-8AA8-229411D7BD14}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&eBay Search\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
[Files/Folders - Created Within 90 days]
C:\FOUND.001 folder moved successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\PROGRAM FILES\COMMON FILES\ѕymbols folder moved successfully.
C:\PROGRAM FILES\COMMON FILES\Fοnts folder moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\FOUND.001 not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\PROGRAM FILES\COMMON FILES\ѕymbols not found!
File C:\PROGRAM FILES\COMMON FILES\Fοnts not found!
[File - Purity Scan: Additional Folder Scans - Non-Microsoft Only]
File C:\PROGRAM FILES\COMMON FILES\Fοnts not found!
File C:\PROGRAM FILES\COMMON FILES\ѕymbols not found!
[Extra Files]
< Purity >
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Amy\Local Settings\Temp\~DFC252.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
WinPFind35U Version 1.0.4.1 fix logfile created on 03102008_170258


-------------------

Deckard's System Scanner v20071014.68
Run by Amy on 2008-03-10 17:14:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 3.21 GiB (less than 15%) free.


-- HijackThis (run as Amy.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:39 PM, on 3/10/08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\QuickTime\qttask.exe
C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Amy\Desktop\dss.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Amy\Desktop\Amy.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\PROGRAM FILES\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185340200695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185332238829
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.lln...eck_1_0_0_4.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://copecam.ourli...yerWeb11gv2.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\PROGRAM FILES\COMMON FILES\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe

--
End of file - 5463 bytes

-- Files created between 2008-02-10 and 2008-03-10 -----------------------------

2008-03-09 18:29:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 18:29:08 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-03-06 20:06:59 0 d-------- C:\Documents and Settings\Amy\Application Data\Runscanner.net
2008-03-04 21:09:41 0 d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-03-04 21:09:18 0 d-------- C:\PROGRAM FILES\Malwarebytes' Anti-Malware
2008-03-04 21:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-03 17:47:06 2904 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-02 13:35:59 0 d-------- C:\PROGRAM FILES\Enigma Software Group
2008-03-02 08:48:35 0 dr-h----- C:\$VAULT$.AVG
2008-03-02 08:36:19 138752 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2008-03-02 08:36:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 08:36:10 0 d-------- C:\Documents and Settings\Amy\Application Data\Spyware Terminator
2008-03-02 08:35:54 0 d-------- C:\PROGRAM FILES\Spyware Terminator
2008-03-02 07:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-21 16:38:40 0 d-------- C:\3e0d865f827caed8f177caeebe849b
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-21 16:36:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-21 16:36:25 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-21 15:06:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-21 14:39:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-21 14:04:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-19 21:38:29 0 d-------- C:\WINDOWS\Prefetch
2008-02-16 17:35:10 0 d-------- C:\WINDOWS\RegCure
2008-02-16 10:00:15 0 d-------- C:\dea74a5bd43d8bd7209bf289790991
2008-02-14 19:23:01 0 d-------- C:\Documents and Settings\Amy\Application Data\{AC84089A-4614-4D65-9C7F-C70274C17586}
2008-02-14 19:21:32 0 d-------- C:\PROGRAM FILES\XP Repair Pro 2007
2008-02-11 17:51:40 0 d-------- C:\PROGRAM FILES\Warez
2008-02-10 20:45:55 0 d-------- C:\050bc7405e3389cf38ed8bb96b26
2008-02-10 20:11:48 0 d-------- C:\2205df5f95f866c0a81246


-- Find3M Report ---------------------------------------------------------------

2008-03-07 21:40:00 4830968 --ah----- C:\Documents and Settings\Amy\Application Data\IconCache.db
2008-03-01 20:23:32 8704 --a------ C:\Documents and Settings\Amy\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-20 07:06:00 16 --a------ C:\WINDOWS\popcinfo.dat
2008-02-19 21:16:40 22780 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-02-17 10:03:26 39008 --a------ C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2008-02-15 18:20:12 4 --a------ C:\WINDOWS\System32\D9B749
2008-02-09 20:07:58 0 d-------- C:\PROGRAM FILES\MarkAny
2008-02-09 20:07:56 0 d-------- C:\PROGRAM FILES\Samsung
2008-02-01 08:40:32 110592 --a------ C:\WINDOWS\System32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-02-01 08:40:32 40960 --a------ C:\WINDOWS\System32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-01-26 05:36:10 0 d-------- C:\PROGRAM FILES\MyFree Codec
2008-01-26 05:33:16 0 d-------- C:\PROGRAM FILES\COMMON FILES\Real
2008-01-26 05:32:58 0 d-------- C:\Documents and Settings\Amy\Application Data\DataCast
2008-01-26 05:29:18 0 d-------- C:\PROGRAM FILES\Best Buy Rhapsody
2008-01-26 05:28:58 0 d-------- C:\Documents and Settings\Amy\Application Data\Real
2008-01-20 22:38:20 0 d-------- C:\Documents and Settings\Amy\Application Data\WinRAR
2008-01-20 22:21:56 0 d-------- C:\PROGRAM FILES\uTorrent
2008-01-20 22:21:52 0 d-------- C:\Documents and Settings\Amy\Application Data\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\PROGRAM FILES\QuickTime\qttask.exe" [04/27/07 09:41 AM]
"Adobe Reader Speed Launcher"="C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/23/01 04:00 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/23/01 04:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [09/20/07 05:21 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/21/08 03:06 PM]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [03/02/08 08:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/23/01 12:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/04 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-03-10 17:16:41 ------------

Edited by 1bigray, 10 March 2008 - 06:17 PM.

  • 0

#28
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#29
1bigray

1bigray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
[Custom Input]
< purity >
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.

OTMoveIt2 v1.0.20 log created on 03112008_060801
-----------------------------------------------

Deckard's System Scanner v20071014.68
Run by Amy on 2008-03-11 06:11:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 3.21 GiB (less than 15%) free.


-- HijackThis (run as Amy.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:20 AM, on 3/11/08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRAM FILES\QuickTime\qttask.exe
C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Amy\Desktop\Fixes\dss.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Amy\Desktop\Fixes\Amy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\PROGRAM FILES\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185340200695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185332238829
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.lln...eck_1_0_0_4.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://copecam.ourli...yerWeb11gv2.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\PROGRAM FILES\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\PROGRAM FILES\COMMON FILES\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRAM FILES\Spyware Terminator\sp_rsser.exe

--
End of file - 5585 bytes

-- Files created between 2008-02-11 and 2008-03-11 -----------------------------

2008-03-09 18:29:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 18:29:08 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-03-06 20:06:59 0 d-------- C:\Documents and Settings\Amy\Application Data\Runscanner.net
2008-03-04 21:09:41 0 d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-03-04 21:09:18 0 d-------- C:\PROGRAM FILES\Malwarebytes' Anti-Malware
2008-03-04 21:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-03 17:47:06 2904 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-02 13:35:59 0 d-------- C:\PROGRAM FILES\Enigma Software Group
2008-03-02 08:48:35 0 dr-h----- C:\$VAULT$.AVG
2008-03-02 08:36:19 138752 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2008-03-02 08:36:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 08:36:10 0 d-------- C:\Documents and Settings\Amy\Application Data\Spyware Terminator
2008-03-02 08:35:54 0 d-------- C:\PROGRAM FILES\Spyware Terminator
2008-03-02 07:25:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-21 16:38:40 0 d-------- C:\3e0d865f827caed8f177caeebe849b
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-21 16:36:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-21 16:36:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-21 16:36:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-21 16:36:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-21 16:36:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-21 16:36:25 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-21 15:06:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-21 14:39:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-21 14:04:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-19 21:38:29 0 d-------- C:\WINDOWS\Prefetch
2008-02-16 17:35:10 0 d-------- C:\WINDOWS\RegCure
2008-02-16 10:00:15 0 d-------- C:\dea74a5bd43d8bd7209bf289790991
2008-02-14 19:23:01 0 d-------- C:\Documents and Settings\Amy\Application Data\{AC84089A-4614-4D65-9C7F-C70274C17586}
2008-02-14 19:21:32 0 d-------- C:\PROGRAM FILES\XP Repair Pro 2007
2008-02-11 17:51:40 0 d-------- C:\PROGRAM FILES\Warez


-- Find3M Report ---------------------------------------------------------------

2008-03-07 21:40:00 4830968 --ah----- C:\Documents and Settings\Amy\Application Data\IconCache.db
2008-03-01 20:23:32 8704 --a------ C:\Documents and Settings\Amy\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-20 07:06:00 16 --a------ C:\WINDOWS\popcinfo.dat
2008-02-19 21:16:40 22780 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-02-17 10:03:26 39008 --a------ C:\Documents and Settings\Amy\Application Data\GDIPFONTCACHEV1.DAT
2008-02-15 18:20:12 4 --a------ C:\WINDOWS\System32\D9B749
2008-02-09 20:07:58 0 d-------- C:\PROGRAM FILES\MarkAny
2008-02-09 20:07:56 0 d-------- C:\PROGRAM FILES\Samsung
2008-02-01 08:40:32 110592 --a------ C:\WINDOWS\System32\TG_DUMP0708.DLL <Not Verified; ENJsoft Corporation; SelfMusicVideo>
2008-02-01 08:40:32 40960 --a------ C:\WINDOWS\System32\MAMACExtract.dll <Not Verified; ???????; ??????? MAMACExtract>
2008-01-26 05:36:10 0 d-------- C:\PROGRAM FILES\MyFree Codec
2008-01-26 05:33:16 0 d-------- C:\PROGRAM FILES\COMMON FILES\Real
2008-01-26 05:32:58 0 d-------- C:\Documents and Settings\Amy\Application Data\DataCast
2008-01-26 05:29:18 0 d-------- C:\PROGRAM FILES\Best Buy Rhapsody
2008-01-26 05:28:58 0 d-------- C:\Documents and Settings\Amy\Application Data\Real
2008-01-20 22:38:20 0 d-------- C:\Documents and Settings\Amy\Application Data\WinRAR
2008-01-20 22:21:56 0 d-------- C:\PROGRAM FILES\uTorrent
2008-01-20 22:21:52 0 d-------- C:\Documents and Settings\Amy\Application Data\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\PROGRAM FILES\QuickTime\qttask.exe" [04/27/07 09:41 AM]
"Adobe Reader Speed Launcher"="C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/23/01 04:00 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/23/01 04:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/23/01 04:00 AM]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [09/20/07 05:21 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/21/08 03:06 PM]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [03/02/08 08:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [08/23/01 12:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [11/23/04 04:51 PM 192512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-03-11 06:13:24 ------------

Edited by 1bigray, 11 March 2008 - 07:12 AM.

  • 0

#30
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP