Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop-ups[RESOLVED]


  • This topic is locked This topic is locked

#1
hotshotvz

hotshotvz

    Member

  • Member
  • PipPip
  • 73 posts
To whom it may concern,

I keep getting pop-ups on my computer, but I don't know where to look to get rid of it. I think it may be under the label of CiD because the pop-ups appear with that label in the header. It's causing IE to run in the processes found in Windows Task Manager and the MEM usage is like 67,000+. Hope this helps you. Thank you for your time and attention to this matter.

HOTSHOTVZ

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:38 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...arm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [base hope] C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6887 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


So in your next reply, please include the MBAM log, and the two DSS logs.

Regards,
RatHat
  • 0

#3
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
MBAM LOG

Malwarebytes' Anti-Malware 1.09
Database version: 518

Scan type: Quick Scan
Objects scanned: 39058
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system\SYSRegC.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.

MAIN
Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-03-21 15:20:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
73: 2008-03-21 19:20:37 UTC - RP73 - Deckard's System Scanner Restore Point
72: 2008-03-21 18:26:04 UTC - RP72 - Installed Windows Installer KB893803v2.
71: 2008-03-21 18:18:41 UTC - RP71 - Installed Windows Installer KB893803v2.
70: 2008-03-21 18:06:01 UTC - RP70 - Unsigned driver install
69: 2008-03-21 18:05:24 UTC - RP69 - Installed Windows Installer KB893803v2.


-- First Restore Point --
1: 2008-02-05 07:57:01 UTC - RP1 - Installed Java™ 6 Update 3


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:33 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...arm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [base hope] C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5732 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080319-085356-663 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
backup-20080319-085356-746 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...arm1=seconduser
backup-20080319-085420-266 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...arm1=seconduser
backup-20080319-085420-871 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
backup-20080319-085445-163 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...arm1=seconduser
backup-20080319-085515-274 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
backup-20080319-085515-541 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080319-085515-615 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080319-161325-292 O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 15:00:01 300 --ah----- C:\WINDOWS\Tasks\B793D3479B704A7F.job
2008-03-18 23:19:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 14:59:29 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-03-21 14:59:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 14:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 13:26:32 19805 -ra------ C:\WINDOWS\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
2008-03-18 16:59:23 0 d-------- C:\Program Files\QuickTime
2008-03-18 12:02:30 0 d-------- C:\Program Files\Trend Micro
2008-03-17 21:10:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping
2008-03-17 21:10:30 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\OpenThirdDoes
2008-03-17 21:10:17 0 d-------- C:\Program Files\BitDownload
2008-03-17 19:56:03 0 d-------- C:\spoolerlogs
2008-03-16 08:30:37 0 d-------- C:\WINDOWS\Cache
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\TVU Networks
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-03-07 18:21:40 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LEGO Company
2008-03-07 18:21:33 0 d-------- C:\Program Files\LEGO Company
2008-03-06 12:02:20 0 d---s---- C:\Documents and Settings\Compaq_Administrator\%USERPROFILE% <%USERP~1>
2008-03-06 03:46:00 0 d--hs---- C:\WINDOWS\system32\%USERPROFILE% <%USERP~1>
2008-02-22 12:06:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-03-17 21:09:42 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-03-17 10:25:57 0 d-------- C:\Program Files\AIM6
2008-03-17 10:23:32 0 d-------- C:\Program Files\Viewpoint
2008-03-16 08:30:37 31 --ah----- C:\WINDOWS\uccspecc.sys
2008-03-06 09:08:30 0 d-------- C:\Program Files\Easy Internet signup
2008-02-25 22:59:38 0 d-------- C:\Program Files\Microsoft Money 2006
2008-02-25 22:59:38 0 d-------- C:\Program Files\Common Files
2008-02-24 01:50:21 0 d-------- C:\Program Files\LimeWire
2008-02-12 02:17:44 0 d-------- C:\Program Files\DivX
2008-02-11 19:52:07 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-02-11 19:51:25 0 d-------- C:\Program Files\FaxTools
2008-02-11 19:51:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-11 19:49:32 0 d-------- C:\Program Files\Lexmark X1100 Series
2008-02-09 00:57:11 0 d-------- C:\Program Files\Common Files\Real
2008-02-09 00:57:01 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Real
2008-02-05 15:31:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 05:35:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 03:58:16 0 d-------- C:\Program Files\Java
2008-02-05 03:47:50 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Symantec
2008-02-05 03:47:37 0 d-------- C:\Program Files\Microsoft
2008-02-05 03:47:13 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-02-05 03:47:11 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Apple Computer
2008-02-03 17:24:58 48320 --a----c- C:\Documents and Settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 16:10:46 274432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-29 16:42:29 0 d-------- C:\Program Files\MSECache
2008-01-28 17:51:36 0 d-------- C:\Program Files\MySQL
2008-01-27 21:43:03 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GetRightToGo
2008-01-04 17:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 17:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 17:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 17:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 17:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"PCDrProfiler"="" []
"SMSERIAL"="sm56hlpr.exe" [01/24/2005 05:56 AM C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03/28/2003 10:18 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"CHIN PING PHONE PILE"="C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe" [03/21/2008 03:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 04:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"Aim6"="" []
"base hope"="C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe" [03/17/2008 09:10 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-21 15:21:55 ------------

EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 958.48 MiB / 637.99 MiB
Pagefile Memory (total/avail): 2312.44 MiB / 2068.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.05 MiB

C: is Fixed (NTFS) - 225.36 GiB total, 204.77 GiB free.
D: is Fixed (FAT32) - 7.51 GiB total, 0.96 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250823AS - 232.88 GiB - 2 partitions
\PARTITION0 - Unknown - 7.52 GiB - D:
\PARTITION1 (bootable) - Installable File System - 225.36 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-B27FB1C401
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Administrator
LOGONSERVER=\\YOUR-B27FB1C401
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-B27FB1C401
USERNAME=Compaq_Administrator
USERPROFILE=C:\Documents and Settings\Compaq_Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Compaq_Administrator (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Action Replay Code Manager --> "C:\Program Files\Datel\Action Replay Code Manager\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CiD Help --> C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe -uninstall
Compaq Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
Compaq Multimedia Keyboard Software --> C:\HP\KBD\KBD.EXE uninstalled
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Boot Optimizer --> MsiExec.exe /I{3BA95526-6AE0-4B87-A62D-17187EF565FC}
HP DigitalMedia Archive --> MsiExec.exe /I{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
Insaniquarium Deluxe from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5AF1DD17-7B06-45EF-8592-2E524E458BAB\Uninstall.exe"
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{523E6F2A-2D59-4D91-90E8-6C49931C9F50}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LEGO Digital Designer --> C:\Program Files\LEGO Company\LEGO Digital Designer\Uninstall.exe
Lexmark X1100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components --> MsiExec.exe /I{90260409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Motorola SM56 Speakerphone Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Money Investment Toolbox --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5
Office 2003 Tour --> MsiExec.exe /I{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}
PC-Doctor 5 for Windows --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{AB61A692-5543-4C48-979B-8CEA1C52FE9C} /l1033
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) --> C:\WINDOWS\$NtUninstallMC05Upd1$\spuninst\spuninst.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB894553 --> C:\WINDOWS\$NtUninstallKB894553$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB895678 --> C:\WINDOWS\$NtUninstallKB895678$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type289 / Error
Event Submitted/Written: 03/21/2008 02:24:53 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 374005357.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type288 / Error
Event Submitted/Written: 03/21/2008 02:24:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application actionreplaycodemanager.exe, version 1.0.0.1, faulting module actionreplaycodemanager.exe, version 1.0.0.1, fault address 0x00023857.
Processing media-specific event for [actionreplaycodemanager.exe!ws!]

Event Record #/Type287 / Error
Event Submitted/Written: 03/21/2008 02:23:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application actionreplaycodemanager.exe, version 1.0.0.1, faulting module actionreplaycodemanager.exe, version 1.0.0.1, fault address 0x00023857.
Processing media-specific event for [actionreplaycodemanager.exe!ws!]

Event Record #/Type286 / Error
Event Submitted/Written: 03/21/2008 02:22:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application actionreplaycodemanager.exe, version 1.0.0.1, faulting module actionreplaycodemanager.exe, version 1.0.0.1, fault address 0x00023857.
Processing media-specific event for [actionreplaycodemanager.exe!ws!]

Event Record #/Type278 / Error
Event Submitted/Written: 03/21/2008 11:13:19 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MySpaceIM.exe, version 1.0.739.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1377 / Error
Event Submitted/Written: 03/21/2008 02:25:43 PM / 03/21/2008 02:25:44 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort3, did not respond within the timeout period.

Event Record #/Type1343 / Error
Event Submitted/Written: 03/21/2008 09:23:31 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The LexBce Server service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type1342 / Error
Event Submitted/Written: 03/21/2008 09:23:17 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type1341 / Error
Event Submitted/Written: 03/21/2008 09:23:14 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type1340 / Error
Event Submitted/Written: 03/21/2008 09:23:09 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-03-21 15:21:55 ------------
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download NoLop to your desktop
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh DSS log in your next reply
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Regards,
Rathat
  • 0

#5
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
NOLOP

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Compaq_Administrator\Desktop
[3/21/2008]
[4:11:00 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\B793D3479B704A7F.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Apple Computer
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Intuit
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Dfx
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Hewlett-packard
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Iwin Games
C:\Documents and Settings\All Users\Application Data\Jes-soft
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Popcap
C:\Documents and Settings\All Users\Application Data\Popcap(2)
C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Stopzilla!
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Tvu Networks
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winzip
C:\Documents and Settings\Application Data\Application Data\Microsoft
C:\Documents and Settings\Compaq_administrator\Application Data\Acccore
C:\Documents and Settings\Compaq_administrator\Application Data\Adobe
C:\Documents and Settings\Compaq_administrator\Application Data\Adobeum
C:\Documents and Settings\Compaq_administrator\Application Data\Aim
C:\Documents and Settings\Compaq_administrator\Application Data\Apple Computer
C:\Documents and Settings\Compaq_administrator\Application Data\Avg7
C:\Documents and Settings\Compaq_administrator\Application Data\Citrixwire
C:\Documents and Settings\Compaq_administrator\Application Data\Divx
C:\Documents and Settings\Compaq_administrator\Application Data\Dtlink Software
C:\Documents and Settings\Compaq_administrator\Application Data\Funkitron
C:\Documents and Settings\Compaq_administrator\Application Data\Getrighttogo
C:\Documents and Settings\Compaq_administrator\Application Data\Google
C:\Documents and Settings\Compaq_administrator\Application Data\Hamachi
C:\Documents and Settings\Compaq_administrator\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Compaq_administrator\Application Data\Hpq
C:\Documents and Settings\Compaq_administrator\Application Data\Identities
C:\Documents and Settings\Compaq_administrator\Application Data\Installshield
C:\Documents and Settings\Compaq_administrator\Application Data\Intuit
C:\Documents and Settings\Compaq_administrator\Application Data\Iwin
C:\Documents and Settings\Compaq_administrator\Application Data\Lavasoft
C:\Documents and Settings\Compaq_administrator\Application Data\Leadertech
C:\Documents and Settings\Compaq_administrator\Application Data\Lego Company
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire
C:\Documents and Settings\Compaq_administrator\Application Data\Macromedia
C:\Documents and Settings\Compaq_administrator\Application Data\Malwarebytes
C:\Documents and Settings\Compaq_administrator\Application Data\Microsoft
C:\Documents and Settings\Compaq_administrator\Application Data\Move Networks
C:\Documents and Settings\Compaq_administrator\Application Data\Mozilla
C:\Documents and Settings\Compaq_administrator\Application Data\Myspace
C:\Documents and Settings\Compaq_administrator\Application Data\Openthirddoes
C:\Documents and Settings\Compaq_administrator\Application Data\Real
C:\Documents and Settings\Compaq_administrator\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Compaq_administrator\Application Data\Sonic
C:\Documents and Settings\Compaq_administrator\Application Data\Stopzilla!
C:\Documents and Settings\Compaq_administrator\Application Data\Sun
C:\Documents and Settings\Compaq_administrator\Application Data\Symantec
C:\Documents and Settings\Compaq_administrator\Application Data\Template
C:\Documents and Settings\Compaq_administrator\Application Data\Tvu Networks
C:\Documents and Settings\Compaq_administrator\Application Data\Viewpoint
C:\Documents and Settings\Default User\Application Data\Apple Computer
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Real
C:\Documents and Settings\Default User\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Mozilla
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Symantec

UPDATED DSS

Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-03-21 16:16:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:39 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...arm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [base hope] C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5854 bytes

-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 16:12:13 0 d-------- C:\NoLopBackups
2008-03-21 14:59:29 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-03-21 14:59:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 14:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 13:26:32 19805 -ra------ C:\WINDOWS\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
2008-03-18 16:59:23 0 d-------- C:\Program Files\QuickTime
2008-03-18 12:02:30 0 d-------- C:\Program Files\Trend Micro
2008-03-17 21:10:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping
2008-03-17 21:10:30 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\OpenThirdDoes
2008-03-17 21:10:17 0 d-------- C:\Program Files\BitDownload
2008-03-17 19:56:03 0 d-------- C:\spoolerlogs
2008-03-16 08:30:37 0 d-------- C:\WINDOWS\Cache
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\TVU Networks
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-03-07 18:21:40 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LEGO Company
2008-03-07 18:21:33 0 d-------- C:\Program Files\LEGO Company
2008-03-06 12:02:20 0 d---s---- C:\Documents and Settings\Compaq_Administrator\%USERPROFILE% <%USERP~1>
2008-03-06 03:46:00 0 d--hs---- C:\WINDOWS\system32\%USERPROFILE% <%USERP~1>
2008-02-22 12:06:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-03-17 21:09:42 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-03-17 10:25:57 0 d-------- C:\Program Files\AIM6
2008-03-17 10:23:32 0 d-------- C:\Program Files\Viewpoint
2008-03-16 08:30:37 31 --ah----- C:\WINDOWS\uccspecc.sys
2008-03-06 09:08:30 0 d-------- C:\Program Files\Easy Internet signup
2008-02-25 22:59:38 0 d-------- C:\Program Files\Microsoft Money 2006
2008-02-25 22:59:38 0 d-------- C:\Program Files\Common Files
2008-02-24 01:50:21 0 d-------- C:\Program Files\LimeWire
2008-02-12 02:17:44 0 d-------- C:\Program Files\DivX
2008-02-11 19:52:07 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-02-11 19:51:25 0 d-------- C:\Program Files\FaxTools
2008-02-11 19:51:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-11 19:49:32 0 d-------- C:\Program Files\Lexmark X1100 Series
2008-02-09 00:57:11 0 d-------- C:\Program Files\Common Files\Real
2008-02-09 00:57:01 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Real
2008-02-05 15:31:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 05:35:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 03:58:16 0 d-------- C:\Program Files\Java
2008-02-05 03:47:50 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Symantec
2008-02-05 03:47:37 0 d-------- C:\Program Files\Microsoft
2008-02-05 03:47:13 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-02-05 03:47:11 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Apple Computer
2008-02-03 17:24:58 48320 --a----c- C:\Documents and Settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 16:10:46 274432 --a------ C:\WINDOWS\system32\libcurl.dll
2008-01-29 16:42:29 0 d-------- C:\Program Files\MSECache
2008-01-28 17:51:36 0 d-------- C:\Program Files\MySQL
2008-01-27 21:43:03 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GetRightToGo
2008-01-04 17:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 17:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 17:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 17:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 17:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"PCDrProfiler"="" []
"SMSERIAL"="sm56hlpr.exe" [01/24/2005 05:56 AM C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03/28/2003 10:18 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"CHIN PING PHONE PILE"="C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe" [03/21/2008 04:15 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 04:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"Aim6"="" []
"base hope"="C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe" [03/17/2008 09:10 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eb91752-d3bc-11dc-b079-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eb91755-d3bc-11dc-b079-806d6172696f}]
AutoRun\command- F:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-03-21 16:16:58 ------------
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop, but don't run it yet.

Now re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\32 road.exe
O4 - HKCU\..\Run: [base hope] C:\DOCUME~1\COMPAQ~1\APPLIC~1\OPENTH~1\Up peak.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


When you are in Safe Mode
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping
C:\Documents and Settings\Compaq_administrator\Application Data\Openthirddoes
C:\Documents and Settings\All Users\Application Data\Popcap
C:\Documents and Settings\All Users\Application Data\Popcap(2)
C:\WINDOWS\system32\libcurl.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Boot back into Normal Windows and uninstall the following programs:


CiD Help
LimeWire 4.16.6
Viewpoint Media Player

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include:
  • The contents of OTM.txt
  • The contents of Kaspersky.txt
  • A fresh DSS log

And let me know how your computer is behaving.

Regards,
RatHat
  • 0

#7
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
OTM

[Custom Input]
< C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping >
C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping moved successfully.
< C:\Documents and Settings\Compaq_administrator\Application Data\Openthirddoes >
C:\Documents and Settings\Compaq_administrator\Application Data\OpenThirdDoes moved successfully.
< C:\Documents and Settings\All Users\Application Data\Popcap >
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\savedgames\insaniquarium moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\savedgames moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\insaniquarium\sounds moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\insaniquarium\images\upsell moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\insaniquarium\images moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap\insaniquarium moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\PopCap moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap moved successfully.
< C:\Documents and Settings\All Users\Application Data\Popcap(2) >
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2)\savedgames(2)\insaniquarium(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2)\savedgames(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2)\insaniquarium(2)\sounds(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2)\insaniquarium(2)\images(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2)\insaniquarium(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2)\popcap(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2)\PopCapLoader(2) moved successfully.
C:\Documents and Settings\All Users\Application Data\PopCap(2) moved successfully.
< C:\WINDOWS\system32\libcurl.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\libcurl.dll
C:\WINDOWS\system32\libcurl.dll NOT unregistered.
C:\WINDOWS\system32\libcurl.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_170939

KASPERSKY

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 7:10:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 652836
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 101999
Number of viruses found: 32
Number of infected objects: 123
Number of suspicious objects: 2
Duration of the scan process: 01:30:56

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080321161635\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee77b0fdd1f6b8eb5dc208b050708d53_46f753bc-1d70-4e73-a061-ac88c34f9649 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\feda75eab8301f258a044718d2f4a99e_46f753bc-1d70-4e73-a061-ac88c34f9649 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL2.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/winstall.exe Infected: not-virus:Hoax.Win32.Renos.cn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip/w0071b75.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip/w03cfd76.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip/MyToolBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip/MyToolBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip/w03cfd76.dll_tobedeleted Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip/MyToolBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/MyToolBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip/MyToolBar.dll Infected: not-a-virus:AdWare.Win32.Mostofate.q skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip/ClientAX.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant17.zip/ClientAX.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant31.zip/icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant31.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsZango17.zip/zango.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsZango17.zip/zangohook.dll Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsZango17.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick13.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick22.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick22.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick22.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick22.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick23.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick23.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick23.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick23.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick29.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick29.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick30.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick30.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick30.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick30.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick31.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick31.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick31.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick31.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick34.zip/repairs303169590.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick34.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick35.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick35.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick36.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick36.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick4.zip/gbe90qs.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick41.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick41.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick41.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick41.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick42.zip/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick42.zip/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick42.zip/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick42.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip/tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip/tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip/tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip/tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip/tsinstall_4_0_4_0_b4.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver3.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq.zip/parad.raw.exe Infected: Trojan-Proxy.Win32.Lager.bu skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq1.zip/taskdir.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Tibsvq1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig.zip/ibm00001.exe Infected: Trojan-PSW.Win32.Sinowal.m skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Torpig.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore.zip/UCMTSAIE.dll Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore7.zip/IUCmore.dll Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore7.zip/UCMTSAIE.dll_tobedeleted Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore7.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/uf215.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip/webbuying.dll Infected: not-a-virus:AdWare.Win32.Agent.cv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant3.zip/webbuying.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer14.zip/Programs/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer14.zip/Programs/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer14.zip/Programs/whinstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer14.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer16.zip/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer16.zip/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer16.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer3.zip/whagent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebNexus5.zip/sopcftl(3).dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebNexus5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4/BlackBox.class Infected: Trojan.Java.ClassLoader.a skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4/VerifierBug.class Infected: Trojan.Java.ClassLoader.u skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4/Dummy.class Infected: Trojan.Java.Nocheat skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4 ZIP: infected - 3 skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-1325a252/BaaaaBaa.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-1325a252 ZIP: infected - 1 skipped
C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc131.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ep skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc131.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc133.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ep skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc133.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc145.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc145.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP3\A0002765.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP3\A0002765.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP3\A0002765.exe WiseSFXDropper: infected - 1 skipped
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP73\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1983279D-6350-4276-A8A3-99A821ABB8D3}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\I386\Apps\APP20301\src\HPSummer2005.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\I386\Apps\APP20301\src\HPSummer2005.exe WiseSFX: infected - 1 skipped
D:\I386\Apps\APP20301\src\HPSummer2005.exe WiseSFXDropper: infected - 1 skipped
D:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP73\change.log Object is locked skipped

Scan process completed.

UPDATED DSS

Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-03-21 19:21:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:08 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...arm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5424 bytes

-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-21 17:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-21 17:18:54 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 17:18:53 0 d-------- C:\WINDOWS\LastGood
2008-03-21 16:12:13 0 d-------- C:\NoLopBackups
2008-03-21 14:59:29 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-03-21 14:59:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 14:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 13:26:32 19805 -ra------ C:\WINDOWS\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
2008-03-18 16:59:23 0 d-------- C:\Program Files\QuickTime
2008-03-18 12:02:30 0 d-------- C:\Program Files\Trend Micro
2008-03-17 21:10:17 0 d-------- C:\Program Files\BitDownload
2008-03-17 19:56:03 0 d-------- C:\spoolerlogs
2008-03-16 08:30:37 0 d-------- C:\WINDOWS\Cache
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\TVU Networks
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-03-07 18:21:40 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LEGO Company
2008-03-07 18:21:33 0 d-------- C:\Program Files\LEGO Company
2008-03-06 12:02:20 0 d---s---- C:\Documents and Settings\Compaq_Administrator\%USERPROFILE% <%USERP~1>
2008-03-06 03:46:00 0 d--hs---- C:\WINDOWS\system32\%USERPROFILE% <%USERP~1>
2008-02-22 12:06:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-03-21 17:14:15 0 d-------- C:\Program Files\Viewpoint
2008-03-21 17:14:04 0 d-------- C:\Program Files\LimeWire
2008-03-17 21:09:42 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2008-03-17 10:25:57 0 d-------- C:\Program Files\AIM6
2008-03-16 08:30:37 31 --ah----- C:\WINDOWS\uccspecc.sys
2008-03-06 09:08:30 0 d-------- C:\Program Files\Easy Internet signup
2008-02-25 22:59:38 0 d-------- C:\Program Files\Microsoft Money 2006
2008-02-25 22:59:38 0 d-------- C:\Program Files\Common Files
2008-02-12 02:17:44 0 d-------- C:\Program Files\DivX
2008-02-11 19:52:07 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-02-11 19:51:25 0 d-------- C:\Program Files\FaxTools
2008-02-11 19:51:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-11 19:49:32 0 d-------- C:\Program Files\Lexmark X1100 Series
2008-02-09 00:57:11 0 d-------- C:\Program Files\Common Files\Real
2008-02-09 00:57:01 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Real
2008-02-05 15:31:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 05:35:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 03:58:16 0 d-------- C:\Program Files\Java
2008-02-05 03:47:50 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Symantec
2008-02-05 03:47:37 0 d-------- C:\Program Files\Microsoft
2008-02-05 03:47:13 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-02-05 03:47:11 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Apple Computer
2008-02-03 17:24:58 48320 --a----c- C:\Documents and Settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-29 16:42:29 0 d-------- C:\Program Files\MSECache
2008-01-28 17:51:36 0 d-------- C:\Program Files\MySQL
2008-01-27 21:43:03 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GetRightToGo
2008-01-04 17:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 17:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 17:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 17:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 17:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"PCDrProfiler"="" []
"SMSERIAL"="sm56hlpr.exe" [01/24/2005 05:56 AM C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03/28/2003 10:18 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 04:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-03-21 19:21:25 ------------


It seems like its running faster, and there is no drain on the RAM by IE.exe. If there's anything I need to do, please let me know. Again, thanks a lot for your help and your time in dealing with this problem.

HOTSHOTVZ
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Looking much better!

Run OTMoveIt2 again:
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-1325a252
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc131.exe
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc133.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll
D:\I386\Apps\APP20301\src\HPSummer2005.exe
C:\NoLopBackups
C:\Program Files\BitDownload
C:\Program Files\Viewpoint
C:\Program Files\LimeWire
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post me the log for OTMoveIt and SUPERAntiSypware in your next reply, then, I think we'll be ready to clean up.

Regards,
RatHat
  • 0

#9
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
UPDATED OTM

[Custom Input]
< C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4 >
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\2f0f91a0-217bb9c4 moved successfully.
< C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-1325a252 >
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\55\265b8ef7-1325a252 moved successfully.
< C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc131.exe >
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc131.exe moved successfully.
< C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc133.exe >
C:\RECYCLER\S-1-5-21-2050236671-1330105122-2501854101-1008\Dc133.exe moved successfully.
< C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll >
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll unregistered successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll moved successfully.
< D:\I386\Apps\APP20301\src\HPSummer2005.exe >
D:\I386\Apps\APP20301\src\HPSummer2005.exe moved successfully.
< C:\NoLopBackups >
C:\NoLopBackups moved successfully.
< C:\Program Files\BitDownload >
C:\Program Files\BitDownload moved successfully.
< C:\Program Files\Viewpoint >
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\images moved successfully.
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\back_to_toolbar moved successfully.
C:\Program Files\Viewpoint\Viewpoint Toolbar V35 moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData moved successfully.
C:\Program Files\Viewpoint\Viewpoint Manager moved successfully.
C:\Program Files\Viewpoint moved successfully.
< C:\Program Files\LimeWire >
C:\Program Files\LimeWire\lib moved successfully.
C:\Program Files\LimeWire moved successfully.
< C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire >
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\xml\schemas moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\xml\misc moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\xml\data moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\xml moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\themes\windows_theme moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\themes moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\.NetworkShare moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire\.AppSpecialShare moved successfully.
C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_224828

SUPER ANTISPYWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/21/2008 at 11:41 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 00:47:21

Memory items scanned : 358
Memory threats detected : 0
Registry items scanned : 5586
Registry threats detected : 0
File items scanned : 103549
File threats detected : 17

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\[email protected][2].txt

Adware.Best Offers Network
C:\WINDOWS\tboninst.cfg

Adware.k8l
C:\PROGRAM FILES\MICROSOFT FRONTPAGE\RTEPRELY.HTML

Trojan.SmitFraud Variant
C:\WINDOWS\WALLP2.EXE
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Let's make sure the file SAS found are gone.

Run OTMoveIt2 again:
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\tboninst.cfg
C:\PROGRAM FILES\MICROSOFT FRONTPAGE\RTEPRELY.HTML
C:\WINDOWS\WALLP2.EXE


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply, along with a fresh DSS log.

Regards,
RatHat
  • 0

#11
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
UPDATED OTM

[Custom Input]
< C:\WINDOWS\tboninst.cfg >
File/Folder C:\WINDOWS\tboninst.cfg not found.
< C:\PROGRAM FILES\MICROSOFT FRONTPAGE\RTEPRELY.HTML >
File/Folder C:\PROGRAM FILES\MICROSOFT FRONTPAGE\RTEPRELY.HTML not found.
< C:\WINDOWS\WALLP2.EXE >
File/Folder C:\WINDOWS\WALLP2.EXE not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_235925

UPDATED DSS

Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2008-03-22 00:00:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:18 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\COMPAQ~1.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...arm1=seconduser
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...ploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5559 bytes

-- Files created between 2008-02-22 and 2008-03-22 -----------------------------

2008-03-21 22:50:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-21 22:50:46 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-21 22:50:46 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2008-03-21 17:18:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-21 17:18:54 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 14:59:29 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2008-03-21 14:59:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 14:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 13:26:32 19805 -ra------ C:\WINDOWS\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
2008-03-18 16:59:23 0 d-------- C:\Program Files\QuickTime
2008-03-18 12:02:30 0 d-------- C:\Program Files\Trend Micro
2008-03-17 19:56:03 0 d-------- C:\spoolerlogs
2008-03-16 08:30:37 0 d-------- C:\WINDOWS\Cache
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\TVU Networks
2008-03-15 11:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-03-07 18:21:40 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\LEGO Company
2008-03-07 18:21:33 0 d-------- C:\Program Files\LEGO Company
2008-03-06 12:02:20 0 d---s---- C:\Documents and Settings\Compaq_Administrator\%USERPROFILE% <%USERP~1>
2008-03-06 03:46:00 0 d--hs---- C:\WINDOWS\system32\%USERPROFILE% <%USERP~1>
2008-02-22 12:06:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-03-21 22:50:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 10:25:57 0 d-------- C:\Program Files\AIM6
2008-03-16 08:30:37 31 --ah----- C:\WINDOWS\uccspecc.sys
2008-03-06 09:08:30 0 d-------- C:\Program Files\Easy Internet signup
2008-02-25 22:59:38 0 d-------- C:\Program Files\Microsoft Money 2006
2008-02-25 22:59:38 0 d-------- C:\Program Files\Common Files
2008-02-12 02:17:44 0 d-------- C:\Program Files\DivX
2008-02-11 19:52:07 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-02-11 19:51:25 0 d-------- C:\Program Files\FaxTools
2008-02-11 19:51:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-11 19:49:32 0 d-------- C:\Program Files\Lexmark X1100 Series
2008-02-09 00:57:11 0 d-------- C:\Program Files\Common Files\Real
2008-02-09 00:57:01 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Real
2008-02-05 05:35:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 03:58:16 0 d-------- C:\Program Files\Java
2008-02-05 03:47:50 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Symantec
2008-02-05 03:47:37 0 d-------- C:\Program Files\Microsoft
2008-02-05 03:47:13 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Intuit
2008-02-05 03:47:11 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Apple Computer
2008-02-03 17:24:58 48320 --a----c- C:\Documents and Settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-01-29 16:42:29 0 d-------- C:\Program Files\MSECache
2008-01-28 17:51:36 0 d-------- C:\Program Files\MySQL
2008-01-27 21:43:03 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\GetRightToGo
2008-01-04 17:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 17:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 17:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 17:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 17:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 10:04 PM]
"PCDrProfiler"="" []
"SMSERIAL"="sm56hlpr.exe" [01/24/2005 05:56 AM C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [05/10/2005 08:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 09:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03/28/2003 10:18 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/18/2008 04:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 PM]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-03-22 00:00:37 ------------
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

OK! Well done, your log is clean again! :)

The first thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On to personal Anti Virus programs. One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#13
hotshotvz

hotshotvz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I greatly appreciate your help, time, and recommendations. It seems as if IE.exe is running as normal and there are no more pop-ups. If I need to give you another update on how my computer is running in a couple of days, I'll be glad to do it. Again, thank you very much.

HOTSHOTVZ

Edited by hotshotvz, 21 March 2008 - 10:54 PM.

  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP