Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I think I am another member of the Trojandownloader.xs club [RESOLVED]

Started by liquidgold , Mar 28 2008 09:50 PM

This topic is locked

#1
liquidgold

Posted 28 March 2008 - 09:50 PM

New Member

Member
8 posts

I'm getting that dang yellow triangle on the bottom of my screen with attempts to make me buy spyware protection software. It looks like you all have good luck in getting this taken care of, so i thought i might come by and beg for help!

here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:03 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nprotect32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\rajcpefa.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Powered by Download Booster 5.0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D585EB0-96FE-419E-9BEB-7DB1557ACD13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [dxsetqyd] C:\WINDOWS\system32\rajcpefa.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [dmagsrad] C:\WINDOWS\system32\kvovanwd.exe
O4 - HKLM\..\Policies\Explorer\Run: [fsLsTIMqMn] C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingc...ad/twophase.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://public.mappin...ds/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125424164234
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125424380593
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://vpn2.uams.edu/ui/Axt.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E1FD0DCC-705B-4F61-B9EC-6E711F9B56FE} (Caymas Secure Connect) - https://vpn2.uams.ed...scinstaller.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: Bmpobtab - {C31AF9D4-DE12-4146-87C9-16B59F1A8649} - C:\WINDOWS\System32\sqlacsel.dll
O21 - SSODL: BootKernel - {b426098d-976b-4e6b-bfed-101900643c7d} - C:\WINDOWS\Installer\{b426098d-976b-4e6b-bfed-101900643c7d}\BootKernel.dll
O21 - SSODL: zip - {9cefe06e-3809-4aae-a23c-0064bdc69d21} - C:\WINDOWS\Installer\{9cefe06e-3809-4aae-a23c-0064bdc69d21}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protected Exchange (MainService) - Unknown owner - C:\WINDOWS\System32\nprotect32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 12326 bytes

thanks in advance for the help!

robbie

#2
liquidgold

Posted 28 March 2008 - 09:58 PM

New Member

Topic Starter
Member
8 posts

sorry, i forgot my uninstall log:

Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Aimersoft DVD to iPhone Converter(Build 1.0.19)
Aimersoft iPhone Converter Suite(Build 1.0.19)
Aimersoft iPhone Video Converter(Build 1.0.19)
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
Canon CanoScan Toolbox 4.1
Caymas Secure Connect R2.5.4-150510
DAO
DirectShow Dump
DivX
DivX Converter
DivX Player
DivX Web Player
DVD Audio Extractor 4.3.0
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Platinum 3.1.0.8
Elecard XMuxer Pro
eMule
EPSON ESPR220 Reference Guide
EPSON Print CD
EPSON Printer Software
Four Winds Mah Jong 1.0 for Pocket PC 2002
Hard Disk Scrubber v2.1
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
Intel® Extreme Graphics Driver
iPAQ Web Registration
ISI ResearchSoft - Export Helper
iTunes
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 2
Java™ SE Runtime Environment 6 Update 1
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Macromedia Shockwave Player
Magic ISO Maker v4.9 (build 0151)
Malwarebytes' Anti-Malware
MEDITECH Workstation4.x
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Data Access Components KB870669
Microsoft Money 2005
Microsoft Office XP Standard
Mozilla Firefox (1.5.0.12)
MPEG Video Wizard 4.0.4 (12/2007)
mpeg-vcr 3.14.4.1 (12/2007)
MSXML 4.0 SP2 (KB936181)
Nero 8
neroxml
Nostalgia, an Intellivision Emulator
RealPlayer
Reference Manager 11
Retoucher
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Send to smugmug
SmartSoft Video Converter
Sonic UDF Reader
Sony USB Driver
Spybot - Search & Destroy
STOIK RedEye AutoFix
TiVo Desktop
TMPGEnc DVD Author 3 with DivX Authoring
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VCRedistSetup
VideoReDo/Plus Version 2.5.6.512
VOB2MPG 2.5
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB888656
Windows Media Player 10 Hotfix - KB894476
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Wireless-B PCI Adapter WLAN Monitor
XPSecurity 2004c
XviD MPEG-4 Video Codec

#3
Rorschach112

Posted 30 March 2008 - 02:01 PM

Ralphie

Retired Staff
47,710 posts

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#4
liquidgold

Posted 30 March 2008 - 02:58 PM

New Member

Topic Starter
Member
8 posts

thanks for helping me with this! here is the smitfraud fix log:

SmitFraudFix v2.309

Scan done at 15:34:37.07, Sun 03/30/2008
Run from C:\Documents and Settings\Robbie Pesek\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\logo.gif Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{64CF959E-144F-47F8-BDE8-97C13D6A9777}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4E1655D-7A26-45ED-B1C4-C988EEE4190B}: DhcpNameServer=68.87.64.196 68.87.66.196
HKLM\SYSTEM\CS1\Services\Tcpip\..\{64CF959E-144F-47F8-BDE8-97C13D6A9777}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4E1655D-7A26-45ED-B1C4-C988EEE4190B}: DhcpNameServer=68.87.64.196 68.87.66.196
HKLM\SYSTEM\CS2\Services\Tcpip\..\{64CF959E-144F-47F8-BDE8-97C13D6A9777}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F4E1655D-7A26-45ED-B1C4-C988EEE4190B}: DhcpNameServer=68.87.64.196 68.87.66.196
HKLM\SYSTEM\CS3\Services\Tcpip\..\{64CF959E-144F-47F8-BDE8-97C13D6A9777}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F4E1655D-7A26-45ED-B1C4-C988EEE4190B}: DhcpNameServer=68.87.64.196 68.87.66.196
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Here are the logs from Dedkard System Scanner:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 766 MiB / 341.26 MiB
Pagefile Memory (total/avail): 1106.56 MiB / 780.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.59 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 24.89 GiB free.
D: is CDROM (No Media)
F: is Fixed (NTFS) - 233.76 GiB total, 22.18 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800JB-00JJC0 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.5 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor 6 L250R0 USB Device - 233.76 GiB - 1 partition
\PARTITION0 - Installable File System - 233.76 GiB - F:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Robbie Pesek\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ENGAGEMENT2002
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Robbie Pesek
LOGONSERVER=\\ENGAGEMENT2002
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Norton SystemWorks\Norton Ghost\";C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBBIE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBBIE~1\LOCALS~1\Temp
USERDOMAIN=ENGAGEMENT2002
USERNAME=Robbie Pesek
USERPROFILE=C:\Documents and Settings\Robbie Pesek
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Robbie Pesek (admin)
Gina Drobena (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0 --> msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Aimersoft DVD to iPhone Converter(Build 1.0.19) --> "C:\Program Files\Aimersoft\iPhone Converter Suite\DVD2iPhone\unins000.exe"
Aimersoft iPhone Converter Suite(Build 1.0.19) --> "C:\Program Files\Aimersoft\iPhone Converter Suite\unins000.exe"
Aimersoft iPhone Video Converter(Build 1.0.19) --> "C:\Program Files\Aimersoft\iPhone Converter Suite\iPhoneVideoConverter\unins000.exe"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDE28287-D32C-415E-9C97-2BF9F9260150} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 9.01 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\Setup.exe" -l0x9 anything
Caymas Secure Connect R2.5.4-150510 --> C:\Program Files\Caymas\remove_csc.bat
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DirectShow Dump --> MsiExec.exe /I{C559CCD6-E2B8-4C7B-9791-AB68F382F9C2}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Audio Extractor 4.3.0 --> "C:\Program Files\DVD Audio Extractor\unins000.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Platinum 3.1.0.8 --> "C:\Program Files\DVDFab Platinum 3\unins000.exe"
Elecard XMuxer Pro --> "C:\Program Files\Elecard\Elecard XMuxer Pro\Uninstall.exe" "C:\Program Files\Elecard\Elecard XMuxer Pro\install.log" -u
eMule --> "C:\eMule\Uninstall.exe"
EPSON ESPR220 Reference Guide --> C:\Program Files\epson\guide\spr220_e\uninstall.exe
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Four Winds Mah Jong 1.0 for Pocket PC 2002 --> "C:\Program Files\Microsoft ActiveSync\4WindsPPC\4WPPC.exe" -uninstall
Hard Disk Scrubber v2.1 --> "C:\Program Files\HDSCRUB\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iPAQ Web Registration --> MsiExec.exe /I{D37C6152-89DF-4D29-83CF-666200D5F398}
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes --> MsiExec.exe /I{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Linksys Wireless-G PCI Network Adapter with SpeedBooster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EAE4A00B-D290-4B65-8287-B82A80FC0619}\setup.exe" -l0x9
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Magic ISO Maker v4.9 (build 0151) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MEDITECH Workstation4.x --> "C:\Program Files\MEDITECH\MTAppDwn.exe" -uninstall "C:\Program Files\MEDITECH\Workstation4.x\Client.mtad"
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office XP Standard --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (1.5.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.12 (en-US)"
mpeg-vcr 3.14.4.1 (12/2007) --> C:\Program Files\Womble MPEG Editor\uninst.exe
MPEG Video Wizard 4.0.4 (12/2007) --> C:\Program Files\Womble Multimedia\MPEG Video Wizard\uninst.exe
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nostalgia, an Intellivision Emulator --> "C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-Nostalgia, an Intellivision Emulator.dat
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reference Manager 11 --> MsiExec.exe /I{C0B0893D-6DA2-4F14-B1D0-3C0F1272B398}
Retoucher --> "C:\Program Files\AKVIS\Retoucher\Uninstall.exe" "C:\Program Files\AKVIS\Retoucher\install.log" -u
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Send to smugmug --> MsiExec.exe /I{536C8539-A8C2-4401-A4B0-C9906AEC2B09}
SmartSoft Video Converter --> "C:\Program Files\SmartSoftVideoConverter\unins000.exe"
Sonic UDF Reader --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
STOIK RedEye AutoFix --> MsiExec.exe /X{E9973764-69CF-4926-B976-519B15E7CF1F}
TiVo Desktop --> MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}
TMPGEnc DVD Author 3 with DivX Authoring --> MsiExec.exe /I{3E9F2540-DD55-42FB-8EB6-5508EEC54013}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoReDo/Plus Version 2.5.6.512 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
VOB2MPG 2.5 --> MsiExec.exe /I{78EFA95D-3310-4035-815B-A46BA4D0C6FA}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Wireless-B PCI Adapter WLAN Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6956F3-B586-4674-BCD0-CCF7EC1DF766}\Setup.exe" -l0x9
XPSecurity 2004c --> "C:\Program Files\XPSecurity\unins000.exe"
XviD MPEG-4 Video Codec --> C:\Program Files\Aimersoft\iPhone Converter Suite\DVD2iPhone\unins000.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type115 / Success
Event Submitted/Written: 03/30/2008 03:39:18 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type112 / Error
Event Submitted/Written: 03/30/2008 03:12:16 PM
Event ID/Source: 1502 / Userenv
Event Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.

DETAIL - The process cannot access the file because it is being used by another process.

Event Record #/Type111 / Error
Event Submitted/Written: 03/30/2008 03:12:16 PM
Event ID/Source: 1508 / Userenv
Event Description:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process. for C:\Documents and Settings\Robbie Pesek\ntuser.dat

Event Record #/Type110 / Error
Event Submitted/Written: 03/30/2008 03:12:16 PM
Event ID/Source: 1502 / Userenv
Event Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.

DETAIL - The process cannot access the file because it is being used by another process.

Event Record #/Type109 / Error
Event Submitted/Written: 03/30/2008 03:12:15 PM / 03/30/2008 03:12:16 PM
Event ID/Source: 1508 / Userenv
Event Description:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process. for C:\Documents and Settings\Robbie Pesek\ntuser.dat

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type81587 / Warning
Event Submitted/Written: 03/30/2008 03:45:43 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ENGAGEMENT200227 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ENGAGEMENT200227 can't undo changes that you allow.

For more information please see the following:
%ENGAGEMENT2002275

Scan ID: {AED5F165-9A44-4D2C-AFF6-5F7A75ABF5E5}

User: ENGAGEMENT2002\Robbie Pesek

Name: %ENGAGEMENT2002271

ID: %ENGAGEMENT2002272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ENGAGEMENT2002276

Alert Type: %ENGAGEMENT2002278

Detection Type: 1.1.1593.02

Event Record #/Type81586 / Warning
Event Submitted/Written: 03/30/2008 03:45:43 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ENGAGEMENT200227 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ENGAGEMENT200227 can't undo changes that you allow.

For more information please see the following:
%ENGAGEMENT2002275

Scan ID: {95F60D4D-817F-4F76-B9A0-CA55EBE10798}

User: ENGAGEMENT2002\Robbie Pesek

Name: %ENGAGEMENT2002271

ID: %ENGAGEMENT2002272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ENGAGEMENT2002276

Alert Type: %ENGAGEMENT2002278

Detection Type: 1.1.1593.02

Event Record #/Type81585 / Warning
Event Submitted/Written: 03/30/2008 03:45:43 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ENGAGEMENT200227 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ENGAGEMENT200227 can't undo changes that you allow.

For more information please see the following:
%ENGAGEMENT2002275

Scan ID: {75987AD5-935E-4EC7-AFC9-49A37533697B}

User: ENGAGEMENT2002\Robbie Pesek

Name: %ENGAGEMENT2002271

ID: %ENGAGEMENT2002272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ENGAGEMENT2002276

Alert Type: %ENGAGEMENT2002278

Detection Type: 1.1.1593.02

Event Record #/Type81584 / Warning
Event Submitted/Written: 03/30/2008 03:45:41 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ENGAGEMENT200227 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ENGAGEMENT200227 can't undo changes that you allow.

For more information please see the following:
%ENGAGEMENT2002275

Scan ID: {79086104-6C4C-42DA-BA8F-95C5C542BBDC}

User: ENGAGEMENT2002\Robbie Pesek

Name: %ENGAGEMENT2002271

ID: %ENGAGEMENT2002272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ENGAGEMENT2002276

Alert Type: %ENGAGEMENT2002278

Detection Type: 1.1.1593.02

Event Record #/Type81583 / Warning
Event Submitted/Written: 03/30/2008 03:45:41 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ENGAGEMENT200227 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ENGAGEMENT200227 can't undo changes that you allow.

For more information please see the following:
%ENGAGEMENT2002275

Scan ID: {736F3F47-05D7-4B40-B6B3-CDE4FE198760}

User: ENGAGEMENT2002\Robbie Pesek

Name: %ENGAGEMENT2002271

ID: %ENGAGEMENT2002272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ENGAGEMENT2002276

Alert Type: %ENGAGEMENT2002278

Detection Type: 1.1.1593.02

-- End of Deckard's System Scanner: finished at 2008-03-30 15:53:09 ------------

Deckard's System Scanner v20071014.68
Run by Robbie Pesek on 2008-03-30 15:41:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-03-30 21:41:06 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Robbie Pesek.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:44 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\rajcpefa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nprotect32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Robbie Pesek\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robbie Pesek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Powered by Download Booster 5.0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D585EB0-96FE-419E-9BEB-7DB1557ACD13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [dxsetqyd] C:\WINDOWS\system32\rajcpefa.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [fsLsTIMqMn] C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingc...ad/twophase.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://public.mappin...ds/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125424164234
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125424380593
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://vpn2.uams.edu/ui/Axt.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E1FD0DCC-705B-4F61-B9EC-6E711F9B56FE} (Caymas Secure Connect) - https://vpn2.uams.ed...scinstaller.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: Bmpobtab - {C31AF9D4-DE12-4146-87C9-16B59F1A8649} - C:\WINDOWS\System32\sqlacsel.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protected Exchange (MainService) - Unknown owner - C:\WINDOWS\System32\nprotect32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 11840 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R1 GhPciScan (GhostPciScanner) - c:\program files\norton systemworks\norton ghost\ghpciscan.sys <Not Verified; Symantec Corporation; Symantec Ghost PCI Scanner>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 enodpl - c:\windows\system32\drivers\enodpl.sys
R2 tandpl - c:\windows\system32\drivers\tandpl.sys
R3 CymsVa (Caymas Secure Connect Virtual Adapter) - c:\windows\system32\drivers\cymsva.sys <Not Verified; Caymas Systems, Inc.; Caymas Systems Virtual Network Adapter>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S2 CINEMSUP (Software Cinemaster NT4.0 Driver) - c:\windows\system32\drivers\cinemsup.sys (file missing)
S3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys (file missing)
S3 basic2 - c:\windows\system32\drivers\basic2.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 CYMSPLG (Cyms DNE Plugin) - c:\program files\caymas\csc client\cymsplg\cymsplg.sys <Not Verified; Caymas Systems, Inc.; Caymas Systems Network Plugin>
S3 IPN2120 (Instant Wireless-B PCI Adapter Driver) - c:\windows\system32\drivers\lsipnds.sys <Not Verified; Inprocomm, Inc.; Driver for INPROCOMM IPN2120 Wireless LAN Cards>
S3 Rksample - c:\windows\system32\drivers\rksample.sys (file missing)
S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing)
S3 xbreader (MaxDrive XBox Driver (xbreader.sys)) - c:\windows\system32\drivers\xbreader.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor5.0 (Adobe Active File Monitor V5) - c:\program files\adobe\photoshop elements 5.0\photoshopelementsfileagent.exe
R2 MainService (Protected Exchange) - c:\windows\system32\nprotect32.exe
R2 NICSer_WMP11 - c:\program files\linksys\wmp11 config utility\nicserv.exe
R2 Speed Disk service - c:\progra~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

S2 RoxLiveShare9 (LiveShare P2P Server 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe" (file missing)
S3 GhostStartService - c:\progra~1\norton~1\norton~2\ghosts~2.exe <Not Verified; Symantec Corporation; Norton Ghost Start Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-30 15:42:47 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-03-29 11:59:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-28 20:08:05 496 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2008-03-28 17:32:47 294 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job

-- Files created between 2008-02-29 and 2008-03-30 -----------------------------

2008-03-30 15:34:48 2452 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 22:48:57 0 d-------- C:\Program Files\Trend Micro
2008-03-28 18:25:10 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Malwarebytes
2008-03-28 18:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 18:24:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 17:23:21 0 d-------- C:\Program Files\Windows Defender
2008-03-28 17:15:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 21:09:34 0 d-------- C:\Program Files\MSXML 4.0
2008-03-26 22:47:52 0 d-------- C:\Documents and Settings\All Users\Application Data\xivedybi
2008-03-26 22:47:39 98304 --a------ C:\WINDOWS\system32\rajcpefa.exe
2008-03-26 22:09:14 51 --a------ C:\xmp.bat
2008-03-26 20:48:39 0 d-------- C:\WINDOWS\Prefetch
2008-03-26 17:13:25 0 d-------- C:\Program Files\DVD Audio Extractor
2008-03-26 17:06:29 0 d-------- C:\Program Files\mp3DirectCut
2008-03-25 20:41:17 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Media Player Classic
2008-03-25 19:09:24 0 d-------- C:\Program Files\AoA Audio Extractor
2008-03-25 18:00:57 0 d-------- C:\Program Files\BadgerIT
2008-03-24 17:48:02 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-03-24 17:47:55 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-03-24 17:47:52 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-03-24 17:47:39 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-03-24 17:47:36 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-03-24 17:47:33 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-03-24 17:47:29 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-03-24 17:47:20 217073 --a------ C:\WINDOWS\meta4.exe
2008-03-24 17:47:09 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-23 20:10:44 0 d-------- C:\Program Files\Womble Multimedia
2008-03-15 10:40:02 0 d-------- C:\Program Files\Musclesoft
2008-03-13 19:03:40 0 d-------- C:\Program Files\All Media Fixer
2008-03-12 18:29:27 0 d-------- C:\Program Files\Womble MPEG Editor
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files\Elecard
2008-03-09 22:11:41 0 d-------- C:\Program Files\Elecard
2008-03-09 20:18:06 0 d-------- C:\WINDOWS\C0B0893D6DA24F14B1D03C0F1272B398.TMP

-- Find3M Report ---------------------------------------------------------------

2008-03-30 13:54:14 0 d-------- C:\Program Files\EPSON Print CD
2008-03-28 17:15:59 0 d-------- C:\Program Files\Lavasoft
2008-03-28 17:12:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 07:09:48 0 d-------- C:\Program Files\Messenger
2008-03-26 18:00:32 0 d-------- C:\Program Files\Movie Maker
2008-03-25 20:22:01 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Apple Computer
2008-03-25 19:56:22 0 d-------- C:\Program Files\QuickTime
2008-03-25 18:49:26 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\VideoReDoPlus
2008-03-14 16:54:06 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\AdobeUM
2008-03-09 23:04:34 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files
2008-03-09 20:32:00 0 d-------- C:\Program Files\Sony
2008-03-09 20:30:48 0 d-------- C:\Program Files\SopCast
2008-03-09 20:30:41 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-09 20:24:53 0 d-------- C:\Program Files\Yahoo!
2008-03-07 22:42:21 120 --a------ C:\Documents and Settings\Robbie Pesek\Application Data\FixVTS.ini
2008-02-22 18:23:02 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-16 22:50:59 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Adobe
2008-02-15 22:51:35 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\uTorrent
2008-02-05 22:53:16 120 --a------ C:\drmHeader.bin
2008-01-15 17:28:32 25 --a------ C:\WINDOWS\°®`version
2008-01-13 13:06:14 292864 --a------ C:\WINDOWS\system32\jobasbi.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D585EB0-96FE-419E-9BEB-7DB1557ACD13}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/24/2004 02:57 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/14/2007 10:00 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 07:55 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [08/25/2006 11:11 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/25/2006 11:11 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/15/2005 06:44 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [12/13/2007 07:10 PM]
"dxsetqyd"="C:\WINDOWS\system32\rajcpefa.exe" [03/26/2008 10:47 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Robbie Pesek\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
HotSync Manager.LNK - C:\Program Files\Sony Handheld\HOTSYNC.EXE [10/10/2002 7:13:33 PM]
Norton System Doctor.LNK - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [1/28/2004 4:39:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
Exif Launcher.lnk - C:\Program Files\Exif Launcher\QuickDCF.exe [10/3/2002 7:09:29 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [1/23/2004 12:22:13 PM]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [9/21/2005 7:23:15 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"fsLsTIMqMn"=C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Bmpobtab"= {C31AF9D4-DE12-4146-87C9-16B59F1A8649} - C:\WINDOWS\System32\sqlacsel.dll [07/05/2006 04:46 AM 847872]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KaZaA Media Desktop]
C:\Program Files\KaZaA\kazaa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XupiterStartup]
C:\Program Files\Xupiter\XupiterStartup2003.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88946e02-be48-11d8-860f-806d6172696f}]
play\command- "C:\Program Files\iTunes\iTunes.exe" /playCD "%L"

*Newly Created Service* - GTNDIS5

-- End of Deckard's System Scanner: finished at 2008-03-30 15:53:09 ------------

#5
Rorschach112

Posted 30 March 2008 - 03:19 PM

Ralphie

Retired Staff
47,710 posts

Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

Click on "New Topic"
Put your name, e-mail address, and this as the title: "C:\WINDOWS\System32\sqlacsel.dll
"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:
- C:\WINDOWS\System32\sqlacsel.dll
Click Open.
Click Post.

Thank you!

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {3D585EB0-96FE-419E-9BEB-7DB1557ACD13} - (no file)
O4 - HKCU\..\Run: [dxsetqyd] C:\WINDOWS\system32\rajcpefa.exe
O4 - HKLM\..\Policies\Explorer\Run: [fsLsTIMqMn] C:\Documents and Settings\All Users\Application Data\xivedybi\lanelwbk.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O21 - SSODL: Bmpobtab - {C31AF9D4-DE12-4146-87C9-16B59F1A8649} - C:\WINDOWS\System32\sqlacsel.dll

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\rajcpefa.exe
C:\xmp.bat
C:\WINDOWS\system32\jobasbi.dll
C:\Documents and Settings\All Users\Application Data\xivedybi
C:\WINDOWS\System32\sqlacsel.dll
C:\Program Files\Xupiter

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
purity
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XupiterStartup
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot and post a new DSS log

#6
liquidgold

Posted 30 March 2008 - 06:12 PM

New Member

Topic Starter
Member
8 posts

here is the OT Move It Log. It is actually the second log because I accidently pasted an extra word into Move It and it froze. The files that are not found now, previously said "successfully moved". i also posted the .dll file as you asked.

File/Folder C:\WINDOWS\system32\rajcpefa.exe not found.
File/Folder C:\xmp.bat not found.
File/Folder C:\WINDOWS\system32\jobasbi.dll not found.
File/Folder C:\Documents and Settings\All Users\Application Data\xivedybi not found.
LoadLibrary failed for C:\WINDOWS\System32\sqlacsel.dll
C:\WINDOWS\System32\sqlacsel.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\sqlacsel.dll scheduled to be moved on reboot.
File/Folder C:\Program Files\Xupiter not found.
[Custom Input]
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XupiterStartup >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XupiterStartup\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03302008_183852

here is my new Dedkard System Scanner Log:

Deckard's System Scanner v20071014.68
Run by Robbie Pesek on 2008-03-30 19:00:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Robbie Pesek.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:52 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nprotect32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Documents and Settings\Robbie Pesek\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ROBBIE~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Powered by Download Booster 5.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingc...ad/twophase.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://public.mappin...ds/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125424164234
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125424380593
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://vpn2.uams.edu/ui/Axt.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E1FD0DCC-705B-4F61-B9EC-6E711F9B56FE} (Caymas Secure Connect) - https://vpn2.uams.ed...scinstaller.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protected Exchange (MainService) - Unknown owner - C:\WINDOWS\System32\nprotect32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 11193 bytes

-- Files created between 2008-02-29 and 2008-03-30 -----------------------------

2008-03-30 15:34:48 2452 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 22:48:57 0 d-------- C:\Program Files\Trend Micro
2008-03-28 18:25:10 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Malwarebytes
2008-03-28 18:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 18:24:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 17:23:21 0 d-------- C:\Program Files\Windows Defender
2008-03-28 17:15:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 21:09:34 0 d-------- C:\Program Files\MSXML 4.0
2008-03-26 20:48:39 0 d-------- C:\WINDOWS\Prefetch
2008-03-26 17:13:25 0 d-------- C:\Program Files\DVD Audio Extractor
2008-03-26 17:06:29 0 d-------- C:\Program Files\mp3DirectCut
2008-03-25 20:41:17 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Media Player Classic
2008-03-25 19:09:24 0 d-------- C:\Program Files\AoA Audio Extractor
2008-03-25 18:00:57 0 d-------- C:\Program Files\BadgerIT
2008-03-24 17:48:02 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-03-24 17:47:55 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-03-24 17:47:52 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-03-24 17:47:39 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-03-24 17:47:36 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-03-24 17:47:33 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-03-24 17:47:29 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-03-24 17:47:20 217073 --a------ C:\WINDOWS\meta4.exe
2008-03-24 17:47:09 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-23 20:10:44 0 d-------- C:\Program Files\Womble Multimedia
2008-03-15 10:40:02 0 d-------- C:\Program Files\Musclesoft
2008-03-13 19:03:40 0 d-------- C:\Program Files\All Media Fixer
2008-03-12 18:29:27 0 d-------- C:\Program Files\Womble MPEG Editor
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files\Elecard
2008-03-09 22:11:41 0 d-------- C:\Program Files\Elecard
2008-03-09 20:18:06 0 d-------- C:\WINDOWS\C0B0893D6DA24F14B1D03C0F1272B398.TMP

-- Find3M Report ---------------------------------------------------------------

2008-03-30 13:54:14 0 d-------- C:\Program Files\EPSON Print CD
2008-03-28 17:15:59 0 d-------- C:\Program Files\Lavasoft
2008-03-28 17:12:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 07:09:48 0 d-------- C:\Program Files\Messenger
2008-03-26 18:00:32 0 d-------- C:\Program Files\Movie Maker
2008-03-25 20:22:01 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Apple Computer
2008-03-25 19:56:22 0 d-------- C:\Program Files\QuickTime
2008-03-25 18:49:26 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\VideoReDoPlus
2008-03-14 16:54:06 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\AdobeUM
2008-03-09 23:04:34 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files
2008-03-09 20:32:00 0 d-------- C:\Program Files\Sony
2008-03-09 20:30:48 0 d-------- C:\Program Files\SopCast
2008-03-09 20:30:41 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-09 20:24:53 0 d-------- C:\Program Files\Yahoo!
2008-03-07 22:42:21 120 --a------ C:\Documents and Settings\Robbie Pesek\Application Data\FixVTS.ini
2008-02-22 18:23:02 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-16 22:50:59 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Adobe
2008-02-15 22:51:35 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\uTorrent
2008-02-05 22:53:16 120 --a------ C:\drmHeader.bin
2008-01-16 12:10:26 13217 --a------ C:\WINDOWS\system32\avidoms.dll
2008-01-15 17:28:32 25 --a------ C:\WINDOWS\°®`version

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/24/2004 02:57 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/14/2007 10:00 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 07:55 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [08/25/2006 11:11 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/25/2006 11:11 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/15/2005 06:44 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [12/13/2007 07:10 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Robbie Pesek\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
HotSync Manager.LNK - C:\Program Files\Sony Handheld\HOTSYNC.EXE [10/10/2002 7:13:33 PM]
Norton System Doctor.LNK - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [1/28/2004 4:39:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
Exif Launcher.lnk - C:\Program Files\Exif Launcher\QuickDCF.exe [10/3/2002 7:09:29 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [1/23/2004 12:22:13 PM]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [9/21/2005 7:23:15 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KaZaA Media Desktop]
C:\Program Files\KaZaA\kazaa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88946e02-be48-11d8-860f-806d6172696f}]
play\command- "C:\Program Files\iTunes\iTunes.exe" /playCD "%L"

*Newly Created Service* - GTNDIS5

-- End of Deckard's System Scanner: finished at 2008-03-30 19:06:40 ------------

#7
Rorschach112

Posted 30 March 2008 - 06:19 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please run the OTMoveIt2 by OldTimer again.

Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\avidoms.dll
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
purity
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Reboot and post a new DSS log

#8
liquidgold

Posted 30 March 2008 - 10:08 PM

New Member

Topic Starter
Member
8 posts

I am using the Kaspersky Online scan, but it seems to be hung up at a file called "C:\I386\msobshel.htm". It has been churning for about 45 minutes now.

#9
Rorschach112

Posted 31 March 2008 - 05:09 AM

Ralphie

Retired Staff
47,710 posts

If it stays at that, do this instead

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also post a new DSS log

#10
liquidgold

Posted 31 March 2008 - 07:44 AM

New Member

Topic Starter
Member
8 posts

i actually had tried malware's program before i posted. it also had problems with the same file and would hang for hours.

#11
Rorschach112

Posted 31 March 2008 - 08:05 AM

Ralphie

Retired Staff
47,710 posts

Ok go ahead and run DSS again and post the log

#12
liquidgold

Posted 31 March 2008 - 06:53 PM

New Member

Topic Starter
Member
8 posts

sorry it took so long, i gave kaspersky's scan another try, but it still got hung up, as well as malware. here is the most recent DSS log:

Deckard's System Scanner v20071014.68
Run by Robbie Pesek on 2008-03-31 19:44:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Robbie Pesek.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:32 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\nprotect32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robbie Pesek\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ROBBIE~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Powered by Download Booster 5.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://www.greetingc...ad/twophase.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://public.mappin...ds/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125424164234
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125424380593
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://vpn2.uams.edu/ui/Axt.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos....plorer1_9us.cab
O16 - DPF: {E1FD0DCC-705B-4F61-B9EC-6E711F9B56FE} (Caymas Secure Connect) - https://vpn2.uams.ed...scinstaller.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protected Exchange (MainService) - Unknown owner - C:\WINDOWS\System32\nprotect32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 12091 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-30 21:38:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 21:38:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 20:51:54 0 d-------- C:\WINDOWS\Offline Web Pages
2008-03-30 20:39:10 0 d-------- C:\WINDOWS\network diagnostic
2008-03-30 15:34:48 2452 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 22:48:57 0 d-------- C:\Program Files\Trend Micro
2008-03-28 18:25:10 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Malwarebytes
2008-03-28 18:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 18:24:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 17:23:21 0 d-------- C:\Program Files\Windows Defender
2008-03-28 17:15:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 21:09:34 0 d-------- C:\Program Files\MSXML 4.0
2008-03-26 20:48:39 0 d-------- C:\WINDOWS\Prefetch
2008-03-26 17:13:25 0 d-------- C:\Program Files\DVD Audio Extractor
2008-03-26 17:06:29 0 d-------- C:\Program Files\mp3DirectCut
2008-03-25 20:41:17 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Media Player Classic
2008-03-25 19:09:24 0 d-------- C:\Program Files\AoA Audio Extractor
2008-03-25 18:00:57 0 d-------- C:\Program Files\BadgerIT
2008-03-24 17:48:02 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-03-24 17:47:55 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-03-24 17:47:52 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-03-24 17:47:39 66560 --a------ C:\WINDOWS\MOTA113.exe
2008-03-24 17:47:36 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-03-24 17:47:33 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-03-24 17:47:29 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-03-24 17:47:20 217073 --a------ C:\WINDOWS\meta4.exe
2008-03-24 17:47:09 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-23 20:10:44 0 d-------- C:\Program Files\Womble Multimedia
2008-03-15 10:40:02 0 d-------- C:\Program Files\Musclesoft
2008-03-13 19:03:40 0 d-------- C:\Program Files\All Media Fixer
2008-03-12 18:29:27 0 d-------- C:\Program Files\Womble MPEG Editor
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files\Elecard
2008-03-09 22:11:41 0 d-------- C:\Program Files\Elecard
2008-03-09 20:18:06 0 d-------- C:\WINDOWS\C0B0893D6DA24F14B1D03C0F1272B398.TMP

-- Find3M Report ---------------------------------------------------------------

2008-03-30 21:46:54 0 d-------- C:\Program Files\EPSON Print CD
2008-03-28 17:15:59 0 d-------- C:\Program Files\Lavasoft
2008-03-28 17:12:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 07:09:48 0 d-------- C:\Program Files\Messenger
2008-03-26 18:00:32 0 d-------- C:\Program Files\Movie Maker
2008-03-25 20:22:01 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Apple Computer
2008-03-25 19:56:22 0 d-------- C:\Program Files\QuickTime
2008-03-25 18:49:26 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\VideoReDoPlus
2008-03-14 16:54:06 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\AdobeUM
2008-03-09 23:04:34 0 d-------- C:\Program Files\Common Files\Nero
2008-03-09 22:12:06 0 d-------- C:\Program Files\Common Files
2008-03-09 20:32:00 0 d-------- C:\Program Files\Sony
2008-03-09 20:30:48 0 d-------- C:\Program Files\SopCast
2008-03-09 20:30:41 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-09 20:24:53 0 d-------- C:\Program Files\Yahoo!
2008-03-07 22:42:21 120 --a------ C:\Documents and Settings\Robbie Pesek\Application Data\FixVTS.ini
2008-02-22 18:23:02 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-16 22:50:59 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\Adobe
2008-02-15 22:51:35 0 d-------- C:\Documents and Settings\Robbie Pesek\Application Data\uTorrent
2008-02-05 22:53:16 120 --a------ C:\drmHeader.bin
2008-01-15 17:28:32 25 --a------ C:\WINDOWS\°®`version

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/24/2004 02:57 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/14/2007 10:00 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 07:55 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [08/25/2006 11:11 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/25/2006 11:11 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/15/2005 06:44 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [12/13/2007 07:10 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Robbie Pesek\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
HotSync Manager.LNK - C:\Program Files\Sony Handheld\HOTSYNC.EXE [10/10/2002 7:13:33 PM]
Norton System Doctor.LNK - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [1/28/2004 4:39:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 9:50:56 AM]
Exif Launcher.lnk - C:\Program Files\Exif Launcher\QuickDCF.exe [10/3/2002 7:09:29 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [1/23/2004 12:22:13 PM]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [9/21/2005 7:23:15 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KaZaA Media Desktop]
C:\Program Files\KaZaA\kazaa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88946e02-be48-11d8-860f-806d6172696f}]
play\command- "C:\Program Files\iTunes\iTunes.exe" /playCD "%L"

*Newly Created Service* - GTNDIS5

-- End of Deckard's System Scanner: finished at 2008-03-31 19:50:33 ------------

#13
Rorschach112

Posted 01 April 2008 - 05:25 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#14
liquidgold

Posted 01 April 2008 - 09:07 AM

New Member

Topic Starter
Member
8 posts

Thank you so much for your help!!! I have noticed that the little yellow triangle is gone!

#15
Rorschach112

Posted 01 April 2008 - 09:26 AM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.