Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Issues [RESOLVED]


  • This topic is locked This topic is locked

#1
iamgrim

iamgrim

    Member

  • Member
  • PipPip
  • 46 posts
Have issues with PC trying to connect to internet all the time. Have followed Malware Removal Guide, installed various spyware packages and all found something and said they had deleted them but still the problem exists...

Hoping someone can have a look at my Hijackthis log and ascertain how I can fix this...

Cheers


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:07 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\CTHELPER.EXE
H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Hijack This\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1418F620-105C-49C8-933C-54DA61610B03} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E08DE81E-7E47-4777-84C5-C45DA13BCF91} - H:\WINDOWS\system32\byxvtss.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?7f7e294ce9004557a6ad8d87118e715e
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?7f7e294ce9004557a6ad8d87118e715e
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxvtss - H:\WINDOWS\SYSTEM32\byxvtss.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O21 - SSODL: WinService - {8e2f3357-af3a-4c99-bf58-b491a9f8140d} - H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll
O21 - SSODL: KernelRom - {c6f018ef-8321-4cc5-9dc0-8c29178cd161} - H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11669 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Now seeing as it has been some time since you posted your log, I would like you to run a DSS scan.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

Regards,
RatHat
  • 0

#3
iamgrim

iamgrim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Rathat,

Thanks for your reply. Details of logs below.

Main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-19 10:50:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-03-19 00:50:08 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:07 AM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\CTHELPER.EXE
H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\igfxsrvc.exe
H:\Documents and Settings\Owner\Desktop\dss.exe
H:\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1418F620-105C-49C8-933C-54DA61610B03} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E08DE81E-7E47-4777-84C5-C45DA13BCF91} - H:\WINDOWS\system32\byxvtss.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?7f7e294ce9004557a6ad8d87118e715e
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?7f7e294ce9004557a6ad8d87118e715e
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxvtss - H:\WINDOWS\SYSTEM32\byxvtss.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O21 - SSODL: WinService - {8e2f3357-af3a-4c99-bf58-b491a9f8140d} - H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll
O21 - SSODL: KernelRom - {c6f018ef-8321-4cc5-9dc0-8c29178cd161} - H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11662 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - h:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - h:\program files\superantispyware\saskutil.sys
R2 ANIO (ANIO Service) - h:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R3 SASENUM - h:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "h:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 ServiceLayer - "h:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 ANIWZCSdService (ANIWZCSd Service) - h:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_0C4A8086&REV_10\4&2E98101C&0&18F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_0C4A8086&REV_10\4&2E98101C&0&18F0
Service: rtl8139

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)
Device ID: PCI\VEN_1814&DEV_0302&SUBSYS_3C091186&REV_00\4&2E98101C&0&20F0
Manufacturer: D-Link
Name: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)
PNP Device ID: PCI\VEN_1814&DEV_0302&SUBSYS_3C091186&REV_00\4&2E98101C&0&20F0
Service: RT61

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia E65
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E65
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-03-19 10:44:00 356 --a------ H:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-15 11:17:01 284 --a------ H:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-19 and 2008-03-19 -----------------------------

2008-03-07 15:36:31 0 d-------- H:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-07 15:36:17 0 d-------- H:\Program Files\SUPERAntiSpyware
2008-03-07 15:36:17 0 d-------- H:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-07 15:35:53 0 d-------- H:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 15:28:15 0 d-------- H:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-07 12:15:21 0 d-------- H:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-07 12:07:35 0 d-------- H:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-07 11:58:40 147456 --a------ H:\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2008-03-07 11:36:12 0 d-------- H:\Hijack This
2008-03-07 10:13:44 0 d-------- H:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-07 09:28:01 0 d-------- H:\Documents and Settings\Administrator\Favorites
2008-03-07 09:28:01 0 d-------- H:\Documents and Settings\Administrator\Desktop
2008-03-07 09:28:01 0 d--hs---- H:\Documents and Settings\Administrator\Cookies
2008-03-07 09:28:01 0 dr-h----- H:\Documents and Settings\Administrator\Application Data
2008-03-07 09:28:01 0 d---s---- H:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-07 09:28:00 0 d--h----- H:\Documents and Settings\Administrator\Templates
2008-03-07 09:28:00 0 dr------- H:\Documents and Settings\Administrator\Start Menu
2008-03-07 09:28:00 0 dr-h----- H:\Documents and Settings\Administrator\SendTo
2008-03-07 09:28:00 0 d--h----- H:\Documents and Settings\Administrator\Recent
2008-03-07 09:28:00 0 d--h----- H:\Documents and Settings\Administrator\PrintHood
2008-03-07 09:28:00 786432 --ah----- H:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-07 09:28:00 0 d--h----- H:\Documents and Settings\Administrator\NetHood
2008-03-07 09:28:00 0 d-------- H:\Documents and Settings\Administrator\My Documents
2008-03-07 09:28:00 0 d--h----- H:\Documents and Settings\Administrator\Local Settings
2008-03-05 11:58:24 24 --a------ H:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2008-03-05 11:58:24 24 --a------ H:\WINDOWS\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2008-03-05 11:49:31 0 dr-h----- H:\Documents and Settings\Owner\Recent
2008-03-05 07:11:16 0 d-------- H:\Program Files\ToniArts
2008-02-29 20:10:11 0 d-------- H:\Program Files\SysCleaner
2008-02-29 17:23:09 0 d-------- H:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-29 07:47:44 0 d-------- H:\Documents and Settings\Owner\Application Data\SysCleaner
2008-02-28 23:27:07 206290 --ahs---- H:\WINDOWS\system32\pqtwa.ini2
2008-02-28 23:21:36 34816 --a------ H:\WINDOWS\system32\byxvtss.dll
2008-02-19 19:38:35 239616 --a------ H:\WINDOWS\system32\HDK3CTNT.DLL <Not Verified; Virtual Media Technology P/L; HDK>
2008-02-19 19:38:21 0 d-------- H:\Program Files\Hasbro Interactive


-- Find3M Report ---------------------------------------------------------------

2008-03-07 15:35:53 0 d-------- H:\Program Files\Common Files
2008-03-07 08:00:02 0 d-------- H:\Documents and Settings\Owner\Application Data\AVG7
2008-03-05 11:51:51 0 d-------- H:\Program Files\etax2007
2008-03-05 11:51:51 0 d-------- H:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-05 11:51:51 0 d-------- H:\Documents and Settings\Owner\Application Data\Imesh Turbo
2008-03-05 07:11:15 0 d--h----- H:\Program Files\InstallShield Installation Information
2008-02-08 10:14:20 0 d-------- H:\Documents and Settings\Owner\Application Data\Adobe
2008-01-21 18:48:18 0 d-------- H:\Program Files\iTunes
2008-01-21 18:48:06 0 d-------- H:\Program Files\iPod
2008-01-21 18:47:07 0 d-------- H:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1418F620-105C-49C8-933C-54DA61610B03}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E08DE81E-7E47-4777-84C5-C45DA13BCF91}]
02/28/2008 11:21 PM 34816 --a------ H:\WINDOWS\system32\byxvtss.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07/02/2002 07:56 PM H:\WINDOWS\system32\CTHELPER.EXE]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [07/26/2006 05:03 AM]
"RemoteControl"="H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 05:01 AM]
"PHIME2002ASync"="H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"PHIME2002A"="H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"nwiz"="nwiz.exe" [06/01/2006 07:22 PM H:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [06/01/2006 07:22 PM]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [06/01/2006 07:22 PM]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"IMJPMIG8.1"="H:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [10/01/2004 10:00 PM]
"igfxtray"="H:\WINDOWS\system32\igfxtray.exe" [09/20/2005 12:35 PM]
"igfxpers"="H:\WINDOWS\system32\igfxpers.exe" [09/20/2005 12:36 PM]
"igfxhkcmd"="H:\WINDOWS\system32\hkcmd.exe" [09/20/2005 12:32 PM]
"ANIWZCS2Service"="H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [12/16/2004 07:49 PM]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 01:46 AM]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"PCSuiteTrayApplication"="H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/28/2006 02:12 PM]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"Jet Detection"="H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 03:00 AM]
"Easy-PrintToolBox"="H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [01/14/2004 11:10 AM]
"!AVG Anti-Spyware"="H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 07:25 PM]
"UpdReg"="H:\WINDOWS\UpdReg.EXE" [05/11/2000 03:00 AM]
"NWEReboot"="" []
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [10/01/2004 10:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [10/01/2004 10:00 PM]
"SUPERAntiSpyware"="H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/20/2007 12:49 PM]
"MsnMsgr"="H:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"BitTorrent"="H:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E08DE81E-7E47-4777-84C5-C45DA13BCF91}"= H:\WINDOWS\system32\byxvtss.dll [02/28/2008 11:21 PM 34816]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinService"= {8e2f3357-af3a-4c99-bf58-b491a9f8140d} - H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll [02/28/2008 11:34 PM 14374]
"zip"= {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll [02/29/2008 07:59 PM 23286]
"KernelRom"= {c6f018ef-8321-4cc5-9dc0-8c29178cd161} - H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll [02/29/2008 03:46 PM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvtss]
byxvtss.dll 02/28/2008 11:21 PM 34816 H:\WINDOWS\system32\byxvtss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]
winbue32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 H:\WINDOWS\system32\awtqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , , ,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NtmsSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-03-19 10:51:46 ------------


Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1022.73 MiB / 576.26 MiB
Pagefile Memory (total/avail): 2436.08 MiB / 2027.23 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.48 MiB

C: is Removable (FAT)
D: is CDROM (Unformatted)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Fixed (NTFS) - 186.31 GiB total, 30.58 GiB free.
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3200820A - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 186.31 GiB - H:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - USB 2.0 Flash Disk USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 247.98 MiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"H:\\Program Files\\MSN Messenger\\msncall.exe"="H:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"H:\\Program Files\\MSN Messenger\\msnmsgr.exe"="H:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"H:\\Program Files\\MSN Messenger\\livecall.exe"="H:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"H:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="H:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"H:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="H:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"H:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="H:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"H:\\Program Files\\MSN Messenger\\msncall.exe"="H:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"H:\\Program Files\\LimeWire\\LimeWire.exe"="H:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"H:\\Program Files\\MSN Messenger\\msnmsgr.exe"="H:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"H:\\Program Files\\MSN Messenger\\livecall.exe"="H:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"H:\\Program Files\\uTorrent\\utorrent.exe"="H:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"H:\\Program Files\\BitTorrent_DNA\\dna.exe"="H:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:DNA"
"H:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"="H:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"H:\\Program Files\\BitLord2\\BitLord.exe"="H:\\Program Files\\BitLord2\\BitLord.exe:*:Enabled: "
"H:\\Program Files\\iTunes\\iTunes.exe"="H:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"H:\\Program Files\\BitTorrent\\bittorrent.exe"="H:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"H:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"="H:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe:*:Disabled:D-Link AirPlus Utility"
"H:\\Program Files\\Messenger\\msmsgs.exe"="H:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"H:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win6B.exe"="H:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\win6B.exe:*:Enabled:win6B"
"H:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="H:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"H:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="H:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"H:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="H:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"H:\\WINDOWS\\TEMP\\win43.exe"="H:\\WINDOWS\\TEMP\\win43.exe:*:Enabled:win43"
"H:\\WINDOWS\\TEMP\\win8E.exe"="H:\\WINDOWS\\TEMP\\win8E.exe:*:Enabled:win8E"
"H:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="H:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"H:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="H:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"H:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="H:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"H:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="H:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=H:\Documents and Settings\All Users
APPDATA=H:\Documents and Settings\Owner\Application Data
CLASSPATH=.;H:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
CommonProgramFiles=H:\Program Files\Common Files
COMPUTERNAME=TOM
ComSpec=H:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TOM
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=H:\Program Files\PC Connectivity Solution\;H:\WINDOWS\system32;H:\WINDOWS;H:\WINDOWS\System32\Wbem;H:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=H:\Program Files
PROMPT=$P$G
QTJAVA=H:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=H:
SystemRoot=H:\WINDOWS
TEMP=H:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=H:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TOM
USERNAME=Owner
USERPROFILE=H:\Documents and Settings\Owner
windir=H:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "H:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
--> H:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> H:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> H:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> H:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 H:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> H:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE H:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> H:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> H:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ANIO Service --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> H:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BigPond ADSL SIK 5.6 Files --> H:\Program Files\Telstra\sikuninst.exe
BitLord v2.0 --> "H:\Program Files\BitLord2\unins000.exe"
Canon iP1200 --> H:\WINDOWS\system32\CNMCP76.exe "-PRINTERNAMECanon iP1200" "-HELPERDLLH:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon Utilities Easy-PhotoPrint --> H:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> H:\WINDOWS\BJPSUNST.EXE
DivX Codec --> H:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> H:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> H:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> H:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> H:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
e-tax 2007 --> H:\Program Files\etax2007\e-tax 2007_uninstall.exe
Easy-WebPrint --> H:\WINDOWS\IsUninst.exe -f"H:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EasyCleaner --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9
Empire Earth II --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{DF315348-721C-40B8-BAE2-58C6C7D935A2}\setup.exe" -l0x9 -removeonly
Empire Earth II: The Art of Supremacy --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{F596C356-BF35-4ED7-981C-CC791461A8F0}\setup.exe" -l0x9 -removeonly
EPSON Printer Software --> H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
GameSpy Arcade --> H:\PROGRA~1\GAMESP~1\UNWISE.EXE H:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Earth --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "H:\Hijack This\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "H:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE H:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
LimeWire 4.12.6 --> "H:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.0 (Symantec Corporation) --> "H:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
MathType 5 --> "H:\Program Files\MathType\Setup.exe" -R
Microsoft Compression Client Pack 1.0 for Windows XP --> "H:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "H:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Monopoly --> H:\WINDOWS\IsUninst.exe -f"H:\Program Files\Hasbro Interactive\Monopoly\Uninst.isu"
Mozilla Firefox (2.0.0.8) --> H:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> H:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Nokia Connectivity Cable Driver --> MsiExec.exe /X{3BFFC6B8-4EC0-4240-858C-998FD4077983}
Nokia PC Suite --> MsiExec.exe /I{02091327-B124-4216-9D71-58C0E24F5392}
NVIDIA Drivers --> H:\WINDOWS\system32\nvudisp.exe UninstallGUI
PC Connectivity Solution --> MsiExec.exe /I{04F3BF74-9E34-4D3E-93C3-D3D1F24199C8}
PowerDVD --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Sibelius Scorch (ActiveX Only) --> MsiExec.exe /I{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}
Sound Blaster Live! Web 2K/XP --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.4 --> "H:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{7DED5635-B47C-4B0F-9AD0-8765D15FD94F}
Versal FileDownload ActiveX Control Trial Version --> H:\Program Files\Universal\UFileDownloadD\USetup.exe
Videora iPod Converter 2.06 --> H:\Program Files\Red Kawa\Video Converter\uninstaller.exe
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> H:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u H:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> H:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u H:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar --> H:\Program Files\Windows Live Toolbar\UnInstall.exe {73B1C023-4490-4A57-A7E1-F20268ECBE52}
Windows Live Toolbar --> MsiExec.exe /X{73B1C023-4490-4A57-A7E1-F20268ECBE52}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{62B8EDCD-D259-4281-8ECD-42029FBC9958}
Windows Live Toolbar MSN Extension (Windows Live Toolbar) --> MsiExec.exe /X{9E7E97D2-3F83-460D-9348-CE40A21E2CA6}
Windows Media Format 11 runtime --> "H:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> H:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xfire (remove only) --> "H:\Program Files\Xfire\uninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type15961 / Error
Event Submitted/Written: 03/18/2008 10:21:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15960 / Error
Event Submitted/Written: 03/18/2008 01:27:04 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15959 / Error
Event Submitted/Written: 03/16/2008 04:54:18 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15958 / Error
Event Submitted/Written: 03/14/2008 07:42:34 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module user32.dll, version 5.1.2600.3099, fault address 0x00019a3e.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15957 / Error
Event Submitted/Written: 03/13/2008 05:49:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module user32.dll, version 5.1.2600.3099, fault address 0x00019a3e.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type40529 / Error
Event Submitted/Written: 03/19/2008 08:00:03 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type40520 / Error
Event Submitted/Written: 03/17/2008 07:10:21 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type40519 / Error
Event Submitted/Written: 03/15/2008 07:10:20 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type40518 / Error
Event Submitted/Written: 03/13/2008 07:10:19 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type40517 / Error
Event Submitted/Written: 03/11/2008 07:10:18 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.



-- End of Deckard's System Scanner: finished at 2008-03-19 10:51:46 ------------
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Regards,
RatHat
  • 0

#5
iamgrim

iamgrim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Rathat,

Logs as requested....

Combofix Log

ComboFix 08-03-17.1 - Owner 2008-03-19 12:46:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.600 [GMT 10:00]
Running from: H:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\setup.exe
H:\WINDOWS\Fonts\-
H:\WINDOWS\system32\byxvtss.dll
H:\WINDOWS\system32\pac.txt
H:\WINDOWS\system32\pqtwa.ini
H:\WINDOWS\system32\pqtwa.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD


((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 10:49 . 2008-03-19 10:49 <DIR> d-------- H:\Deckard
2008-03-07 15:36 . 2008-03-10 10:30 <DIR> d-------- H:\Program Files\SUPERAntiSpyware
2008-03-07 15:36 . 2008-03-07 15:36 <DIR> d-------- H:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-07 15:36 . 2008-03-07 15:36 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-07 15:35 . 2008-03-07 15:35 <DIR> d-------- H:\Program Files\Common Files\Wise Installation Wizard
2008-03-07 15:28 . 2008-03-07 15:28 <DIR> d-------- H:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-07 12:15 . 2008-03-07 12:15 <DIR> d-------- H:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-07 12:14 . 2007-05-30 22:10 10,872 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-07 11:58 . 2008-03-07 11:44 147,456 --a------ H:\VundoFix.exe
2008-03-07 11:36 . 2008-03-19 10:51 <DIR> d-------- H:\Hijack This
2008-03-07 10:13 . 2008-03-07 10:13 <DIR> d-------- H:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-05 11:59 . 2008-03-19 12:53 3,374,719 --a------ H:\WINDOWS\{00000002-00000000-00000001-00001102-00000002-80651102}.BAK
2008-03-05 11:58 . 2008-03-19 12:50 25,296 --a------ H:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000001-00001102-00000002-80651102}.rfx
2008-03-05 11:58 . 2008-03-19 12:50 25,296 --a------ H:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000001-00001102-00000002-80651102}.rfx
2008-03-05 11:58 . 2008-03-19 12:50 16,516 --a------ H:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000001-00001102-00000002-80651102}.rfx
2008-03-05 11:58 . 2008-03-19 12:50 16,516 --a------ H:\WINDOWS\system32\BMXState-{00000002-00000000-00000001-00001102-00000002-80651102}.rfx
2008-03-05 11:58 . 2008-03-19 12:50 24 --a------ H:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2008-03-05 11:58 . 2008-03-19 12:50 24 --a------ H:\WINDOWS\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80651102}.dat
2008-03-05 11:34 . 2008-03-19 12:50 1,080 --a------ H:\WINDOWS\system32\settingsbkup.sfm
2008-03-05 07:11 . 2008-03-05 07:11 <DIR> d-------- H:\Program Files\ToniArts
2008-02-29 20:10 . 2008-02-29 20:10 <DIR> d-------- H:\Program Files\SysCleaner
2008-02-29 17:23 . 2008-03-07 12:14 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-29 15:11 . 2008-02-29 15:11 229 --a------ H:\WINDOWS\wininit.ini
2008-02-29 07:47 . 2008-02-29 07:47 <DIR> d-------- H:\Documents and Settings\Owner\Application Data\SysCleaner
2008-02-19 19:38 . 2008-02-19 19:38 <DIR> d-------- H:\Program Files\Hasbro Interactive
2008-02-19 19:38 . 1999-03-18 11:47 239,616 --a------ H:\WINDOWS\system32\HDK3CTNT.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 22:00 --------- d-----w H:\Documents and Settings\Owner\Application Data\AVG7
2008-03-05 01:51 --------- d-----w H:\Program Files\etax2007
2008-03-05 01:51 --------- d-----w H:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-05 01:51 --------- d-----w H:\Documents and Settings\Owner\Application Data\Imesh Turbo
2008-03-04 21:11 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-02-29 07:38 --------- d-----w H:\Documents and Settings\All Users\Application Data\avg7
2008-02-28 21:59 --------- d-----w H:\Program Files\Spybot - Search & Destroy
2008-01-21 08:48 --------- d-----w H:\Program Files\iTunes
2008-01-21 08:48 --------- d-----w H:\Program Files\iPod
2008-01-21 08:47 --------- d-----w H:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-10-01 22:00 15360]
"SUPERAntiSpyware"="H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 12:49 68856]
"MsnMsgr"="H:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitTorrent"="H:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 19:56 24576 H:\WINDOWS\system32\CTHELPER.EXE]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 05:03 49263]
"RemoteControl"="H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 05:01 32768]
"PHIME2002ASync"="H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"PHIME2002A"="H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"nwiz"="nwiz.exe" [2006-06-01 19:22 1519616 H:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="H:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 19:22 86016]
"NvCplDaemon"="H:\WINDOWS\system32\NvCpl.dll" [2006-06-01 19:22 7618560]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"IMJPMIG8.1"="H:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-10-01 22:00 208952]
"igfxtray"="H:\WINDOWS\system32\igfxtray.exe" [2005-09-20 12:35 94208]
"igfxpers"="H:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36 114688]
"igfxhkcmd"="H:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32 77824]
"ANIWZCS2Service"="H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 19:49 49152]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 01:46 57344]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"PCSuiteTrayApplication"="H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 14:12 222720]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"Jet Detection"="H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 03:00 28672]
"Easy-PrintToolBox"="H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10 409600]
"!AVG Anti-Spyware"="H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"UpdReg"="H:\WINDOWS\UpdReg.EXE" [2000-05-11 03:00 90112]
"NWEReboot"="" []
"MSConfig"="H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-10-01 22:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"AVG7_Run"="H:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-29 17:23 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-10-01 22:00 53760 H:\WINDOWS\system32\narrator.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= H:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinService"= {8e2f3357-af3a-4c99-bf58-b491a9f8140d} - H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll [2008-02-28 23:34 14374]
"zip"= {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll [2008-02-29 19:59 23286]
"KernelRom"= {c6f018ef-8321-4cc5-9dc0-8c29178cd161} - H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll [2008-02-29 15:46 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
H:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 H:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvtss]
byxvtss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]
winbue32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NtmsSvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\Program Files\\LimeWire\\LimeWire.exe"=
"H:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"H:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"H:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=
"H:\\Program Files\\BitLord2\\BitLord.exe"=
"H:\\Program Files\\iTunes\\iTunes.exe"=
"H:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"=
"H:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\winav.exe"=
"H:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"H:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"H:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"H:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10386:TCP"= 10386:TCP:*:Disabled:BitComet 10386 TCP
"10386:UDP"= 10386:UDP:*:Disabled:BitComet 10386 UDP


.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 01:17:01 H:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- H:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-19 02:44:00 H:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- H:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 12:53:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: H:\WINDOWS\explorer.exe [6.00.2900.3156]
-> H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll
-> H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll
-> H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll
.
------------------------ Other Running Processes ------------------------
.
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-19 12:56:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-19 02:56:00
.
2008-02-13 12:00:08 --- E O F ---


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\CTHELPER.EXE
H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\explorer.exe
H:\Hijack This\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?7f7e294ce9004557a6ad8d87118e715e
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?7f7e294ce9004557a6ad8d87118e715e
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxvtss - byxvtss.dll (file missing)
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O21 - SSODL: WinService - {8e2f3357-af3a-4c99-bf58-b491a9f8140d} - H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll
O21 - SSODL: KernelRom - {c6f018ef-8321-4cc5-9dc0-8c29178cd161} - H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11207 bytes
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please uninstall the following programs:


BitLord v2.0
LimeWire 4.16.6

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
Note: Limewire is the most likely cause of your infection. Additionally, malware use Limewire as a conduit to the web to download additional files. If you choose to reinstall it at a later date, you are opening yourself up to reinfection.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll (file missing)
O20 - Winlogon Notify: byxvtss - byxvtss.dll (file missing)
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Finally, please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.


So in your next reply, please include:
  • The contents of OTM.txt
  • The MBAM log
  • The contents of Kaspersky.txt
  • A fresh HijackThis log, taken after completing all of the above

And let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#7
iamgrim

iamgrim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Ok, finally got the chance to run these, details below.

OTM.text

DllUnregisterServer procedure not found in H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll
H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll NOT unregistered.
File move failed. H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03202008_121121


Anti Malware Log

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Quick Scan
Objects scanned: 28768
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll (Trojan.Alphabet) -> Unloaded module successfully.
H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll (Trojan.Alphabet) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8e2f3357-af3a-4c99-bf58-b491a9f8140d} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c6f018ef-8321-4cc5-9dc0-8c29178cd161} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\SCSDelete (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinService (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KernelRom (Trojan.Alphabet) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d} (Trojan.Alphabet) -> Delete on reboot.
H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161} (Trojan.Alphabet) -> Delete on reboot.
H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a} (Trojan.Alphabet) -> Quarantined and deleted successfully.
H:\Program Files\SysCleaner (Rogue.SysCleaner) -> Quarantined and deleted successfully.
H:\Documents and Settings\Owner\Application Data\SysCleaner (Rogue.SysCleaner) -> Quarantined and deleted successfully.
H:\Documents and Settings\Owner\Application Data\SysCleaner\logs (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Files Infected:
H:\WINDOWS\Installer\{8e2f3357-af3a-4c99-bf58-b491a9f8140d}\WinService.dll (Trojan.Alphabet) -> Delete on reboot.
H:\WINDOWS\Installer\{c6f018ef-8321-4cc5-9dc0-8c29178cd161}\KernelRom.dll (Trojan.Alphabet) -> Delete on reboot.
H:\Documents and Settings\Owner\Application Data\SysCleaner\settings.dat (Rogue.SysCleaner) -> Quarantined and deleted successfully.
H:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Start SysCleaner.lnk (Rogue.SysCleaner) -> Quarantined and deleted successfully.

Kapersky Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 13:55
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 654208
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 67558
Number of viruses found: 12
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 01:15:19

Infected Object Name / Virus Name / Last Action
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/autorun.exe Infected: Trojan.Win32.Qhost.aes skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus.zip/pgs.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip/findfast.exe Infected: Trojan.Win32.Qhost.aes skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/svchost.exe Infected: Backdoor.Win32.IRCBot.aro skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh3.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh3.zip ZIP: infected - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu1188.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.21958 Infected: Trojan.Win32.Agent.feh skipped
H:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53757 Infected: Trojan.Win32.Agent.feh skipped
H:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
H:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
H:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\04 Track 4 (soundtrack).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\pepsi add song.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\rain in africa- hip hop.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
H:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Owner\Shared\call of duty 4 cd key.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
H:\Documents and Settings\Owner\Shared\call of duty 4 cd key.zip ZIP: infected - 1 skipped
H:\QooBox\Quarantine\catchme2008-03-19_125258.03.zip/byxvtss.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
H:\QooBox\Quarantine\catchme2008-03-19_125258.03.zip ZIP: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{2A1A1249-6543-4415-9800-000CC122B333}\RP3\A0000096.dll Infected: Trojan.Win32.Agent.feh skipped
H:\System Volume Information\_restore{2A1A1249-6543-4415-9800-000CC122B333}\RP3\A0000097.dll Infected: Trojan.Win32.Agent.feh skipped
H:\System Volume Information\_restore{2A1A1249-6543-4415-9800-000CC122B333}\RP3\change.log Object is locked skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\Installer\{f1014c33-ba4e-4fc0-afba-b2194ac665b6}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\EventCache\{2B9DB4C5-11E3-4243-8185-23C8501559A3}.bin Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\Sti_Trace.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
H:\WINDOWS\system32\CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\Internet.evt Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\wiadebug.log Object is locked skipped
H:\WINDOWS\wiaservc.log Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\_OTMoveIt\MovedFiles\03202008_121121\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped

Scan process completed.

Hijack this Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:55, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\CTHELPER.EXE
H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
H:\Program Files\internet explorer\iexplore.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\WINDOWS\system32\NOTEPAD.EXE
H:\Hijack This\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?7f7e294ce9004557a6ad8d87118e715e
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?7f7e294ce9004557a6ad8d87118e715e
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - H:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - H:\WINDOWS\Installer\{0618fe92-ccbe-4c03-82c5-00a71cabf98a}\zip.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 10843 bytes

PC isn't trying to connect to the internet every 5 seconds anymore either....
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Looks like we are almose done!

Now lets run OTMoveIt from Safe Mode
  • Boot into Safe Mode
    • Restart you computer
    • As soon as it starts, continuously tap the F8 key
    • A screen will load that gives you the option to boot into Safe Mode, choose this
    • When the start up screen appears, log into your normal account
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\04 Track 4 (soundtrack).wma
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\pepsi add song.wm
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\rain in africa- hip hop.wm
H:\Documents and Settings\Owner\Shared\call of duty 4 cd key.zip
H:\WINDOWS\Installer\{f1014c33-ba4e-4fc0-afba-b2194ac665b6}\zip.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now doesn't look like your AntiVirus, AVG is running, or updated. Could you start it up, update to the latest definitions, and make sure that it is set to start automatically.

Post me the OTM.txt, and a fresh HijackThis log, and lety me know if you are having any more problems with your computer.

Regards,
RatHat
  • 0

#9
iamgrim

iamgrim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Gidday Rathat,

Info as requested below.

OTM.txt

[Custom Input]
< H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\04 Track 4 (soundtrack).wma >
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\04 Track 4 (soundtrack).wma moved successfully.
< H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\pepsi add song.wm >
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\pepsi add song.wm moved successfully.
< H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\rain in africa- hip hop.wm >
H:\Documents and Settings\Owner\My Documents\My Music\Limewire Downloads\rain in africa- hip hop.wm moved successfully.
< H:\Documents and Settings\Owner\Shared\call of duty 4 cd key.zip >
H:\Documents and Settings\Owner\Shared\call of duty 4 cd key.zip moved successfully.
< H:\Windows\Installer\{f1014c33-ba4e-4fc0-afba-b2194ac665b6}\zip.dll >
File/Folder H:\Windows\Installer\{f1014c33-ba4e-4fc0-afba-b2194ac665b6}\zip.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03242008_153412

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:00, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\CTHELPER.EXE
H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\MSN Messenger\MsnMsgr.Exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Hijack This\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] H:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] H:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] H:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "H:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?7f7e294ce9004557a6ad8d87118e715e
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?7f7e294ce9004557a6ad8d87118e715e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 10821 bytes

AVG Anti Virus was corrupt & wouldn't start/update. Removed and reinstalled, all good now. PC seems to be running fine btw.

Cheers
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please re-open HiJackThis and scan. Check the box next to the entry listed below.

O21 - SSODL: zip - {0618fe92-ccbe-4c03-82c5-00a71cabf98a} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

OK! Well done, your log is clean again! :)

Now lets uninstall Combofix and have a bit of a cleanup:
  • Click START then RUN
  • Now type ComboFix.exe /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Please delete any logs or other files we have used during the fixing of your machine.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


An essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#11
iamgrim

iamgrim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Cheers Rathat,

Have done all you have asked, AVG/Ad Aware/Spybot report no issues...hopefully now I can keep it that way.

Thanks for all your help!

Much appreciated.
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#13
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP