Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect - ctl3dv2h.dll? [RESOLVED]


  • This topic is locked This topic is locked

#1
ailongam

ailongam

    Member

  • Member
  • PipPip
  • 11 posts
Hi, I am new to this forum. I'm having a problem with Google searches getting redirected. I think I've discovered the file causing the problem but it has attached itself to a running process and will not delete. I can not unlock the file and also tried delete on reboot with no success. I've run all types of anti-virus/anti-spam programs and they all indicate nothing found.

Thank you in advance for any help or suggestions you can offer!

Here is a HiJackThis report (I've highlighted in red the potentially suspicious areas):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:37 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
O2 - BHO: (no name) - {2FC734B8-547F-43E9-B169-6A74220C0259} - C:\WINDOWS\system32\DivXd.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll

--
End of file - 2698 bytes

Edited by ailongam, 06 April 2008 - 07:20 AM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ailongam

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi kahdah. Thanks for the fast response.

I followed your instructions and here are the results:

main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-06 11:55:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-04-06 15:55:25 UTC - RP17 - Deckard's System Scanner Restore Point
1: 2008-04-06 15:54:31 UTC - RP16 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:05 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
O2 - BHO: (no name) - {2FC734B8-547F-43E9-B169-6A74220C0259} - C:\WINDOWS\system32\DivXd.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll

--
End of file - 2633 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\backups\) -----------------------------

backup-20080403-161031-182 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
backup-20080403-173642-344 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080403-173642-386 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080403-173706-569 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080403-175627-781 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080403-175627-926 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080403-180712-621 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080403-180712-704 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080405-121835-507 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080405-121835-735 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080405-121926-325 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080405-121926-930 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080405-122010-729 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080405-122010-907 O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
backup-20080405-232403-751 O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll
backup-20080406-111639-457 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080406-111639-481 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 jajwjfwn - c:\windows\system32\drivers\yvmpostn.dat
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_019D1028&REV_02\3&172E68DD&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_019D1028&REV_02\3&172E68DD&0&EF
Service:

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1C660DD6&0&08F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-06 11:48:02 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-05 23:05:50 0 d-------- C:\Program Files\WinBatch
2008-04-05 23:03:58 0 d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-04-05 23:03:33 0 d-------- C:\Program Files\WinBatch_install
2008-04-05 18:59:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-05 18:59:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 18:47:28 1294 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 13:09:06 36373 --a------ C:\Program Files\ffunlock.exe
2008-04-05 13:05:21 25600 --a------ C:\Program Files\md5.exe
2008-04-05 12:11:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Desktopicon
2008-04-05 08:52:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-05 08:52:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-05 08:52:12 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-05 08:52:12 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-05 08:52:12 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-05 08:52:11 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-05 08:52:11 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-05 08:52:11 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-04 08:31:23 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-03 23:19:21 35072 --a------ C:\WINDOWS\system32\zecobgkc.dat
2008-04-03 23:19:21 36608 --a------ C:\WINDOWS\system32\tcqdkpgy.dat
2008-04-03 17:00:37 164 --a------ C:\install.dat
2008-04-03 16:10:31 0 d-------- C:\Program Files\backups
2008-04-03 14:20:38 0 d-------- C:\www.creativeconceptsinc.net
2008-04-03 13:39:35 486449 --a------ C:\Program Files\Fixwareout.exe
2008-04-03 11:29:32 0 d-------- C:\SmitfraudFix
2008-04-03 08:10:54 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-02 23:16:29 6491392 --a------ C:\WINDOWS\system32\dunmuqjn.dat
2008-04-02 23:16:28 42752 --a------ C:\WINDOWS\system32\hkbzsfzh.dat
2008-04-02 23:16:28 638208 --a------ C:\WINDOWS\system32\cjbhmtap.dat
2008-04-02 23:16:28 109824 --a------ C:\WINDOWS\system32\aalztiwl.dat
2008-04-02 22:42:45 0 d-------- C:\Program Files\Lavasoft
2008-04-02 22:42:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 22:14:10 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-02 22:14:09 20224 --a------ C:\WINDOWS\system32\drivers\yvmpostn.dat
2008-04-02 17:22:35 81920 --a------ C:\WINDOWS\system32\ctl3dv2h.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-02 17:22:17 0 d-------- C:\WINDOWS\system32\AppCert
2008-04-02 17:21:54 88064 --a------ C:\WINDOWS\system32\DivXd.dll
2008-03-29 20:23:58 0 d-------- C:\Program Files\SmartFTP Client
2008-03-29 20:23:38 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-03-28 20:13:22 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-03-28 20:13:22 0 d-------- C:\Program Files\Ipswitch
2008-03-28 20:07:14 0 d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-03-11 16:53:04 0 d-------- C:\www.bannerexteriors.com
2008-03-10 07:30:31 313344 --a------ C:\Program Files\hjsplit.exe
2008-03-07 18:56:00 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-07 18:55:13 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads


-- Find3M Report ---------------------------------------------------------------

2008-04-06 11:56:05 2634 --a------ C:\Program Files\hijackthis.log
2008-04-05 22:43:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-05 22:42:46 0 d-------- C:\Program Files\Symantec
2008-04-05 15:37:40 0 d-------- C:\Program Files\NoAdware5.0
2008-04-05 13:08:45 36277 --a------ C:\Program Files\ffunlock.zip
2008-04-05 13:01:37 0 d-------- C:\Program Files\Common Files
2008-04-05 12:32:13 532480 --a------ C:\Program Files\cwshredder.exe <Not Verified; Trend Micro Incorporated; CWShredder>
2008-04-04 06:57:36 139160 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-03 22:08:21 0 d-------- C:\Program Files\Sound Forge
2008-04-02 22:54:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 13:10:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-22 00:05:03 0 d-------- C:\Program Files\DivX
2008-03-21 14:10:47 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-16 21:59:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-03-10 07:29:15 304957 --a------ C:\Program Files\hjsplit.zip
2008-03-07 18:55:39 335 --a------ C:\WINDOWS\nsreg.dat
2008-03-07 15:28:17 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-29 09:54:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-02-29 09:43:44 0 d-------- C:\Program Files\Google
2008-02-27 16:19:02 0 d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-02-21 07:40:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-17 08:45:50 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-15 18:17:33 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2008-02-15 18:15:41 0 d-------- C:\Program Files\VideoLAN
2008-02-14 11:06:01 0 d-------- C:\Program Files\uTorrent
2008-02-08 10:50:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-25 15:25:28 100172 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F037D81-C739-4693-AB5B-A3A9679948FF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FC734B8-547F-43E9-B169-6A74220C0259}]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [12/20/2003 09:58 PM 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\trwvdinh]
ctl3dv2h.dll 04/05/2008 07:59 AM 81920 C:\WINDOWS\system32\ctl3dv2h.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopMenuStartUp exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenuStartUp exe.lnk
backup=C:\WINDOWS\pss\PopMenuStartUp exe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8og78sz65o]
C:\WINDOWS\system32\8og78sz65o.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
"C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"avg8wd"=2 (0x2)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
erxufzvj


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc2-28dd-11dc-99a1-001111bd5d90}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc4-28dd-11dc-99a1-001111bd5d90}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-06 11:57:06 ------------


extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 509.98 MiB / 300.16 MiB
Pagefile Memory (total/avail): 1248.75 MiB / 1089 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.7 GiB total, 32.95 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 71.7 GiB - C:
\PARTITION2 - Unknown - 2.75 GiB



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntivirusOverride is set.
FirewallOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=A2P
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\A2P
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=A2P
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
ACT! --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ACT\Uninst6.isu" -c"C:\Program Files\ACT\UNINSTAL.DLL"
Adobe Extension Manager CS3 --> C:\Program Files\Common Files\Adobe\Installers\c1dfd0398e272486e0e41acbed0d624\Setup.exe
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Premiere 6.0 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{413D5495-AECA-4FA7-81A9-2300AECB7EFE}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AudioCatalyst --> C:\PROGRA~1\Xing\AUDIOC~1\UNINST~1.EXE C:\PROGRA~1\Xing\AUDIOC~1\install.log
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Corel Uninstaller --> C:\WINDOWS\COREL\UNINST32.EXE
CorelDRAW Graphics Suite X3 --> C:\Program Files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} C:\DOCUME~1\Owner\LOCALS~1\Temp\CGSX3.log
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Region-Free 3.32 --> "C:\Program Files\DVD Region-Free\unins000.exe"
DVD Ripper 4 --> C:\Program Files\Xilisoft\DVD Ripper 4\Uninstall.exe
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FlashPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7E6CA4D-E79E-41A8-A633-8FB9BE3DB67C}\Setup.exe"
FLVDownload 1.0 --> "C:\Program Files\FLVDownload 1.0\unins000.exe"
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\HijackThis.exe" /uninstall
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\Extension Manager\Extensions Manager Uninstaller.isu"
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{23AEBB83-CB47-4739-8A0C-92CC1E32AA2F}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Moyea FLV to Video Converter Pro version 1.25.2.0 --> "C:\Program Files\Moyea\FLV to Video Pro\unins000.exe"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NoAdware v5.0 --> "C:\Program Files\NoAdware5.0\unins000.exe"
Office Export Wizard Addin --> MsiExec.exe /I{3BBCCEB1-BCC6-489E-86BE-450287B8B426}
PowerDVD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CyberLink\PowerDVD\Uninst.isu"
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Riva FLV Encoder 2.0 --> "C:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
Safari --> MsiExec.exe /X{0CD7D421-C850-4271-8533-0269A3D39FAA}
ScreenPrint32 v3.5 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ScreenPrint32 v3\ST6UNST.LOG"
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Sound Forge 4.0 for Windows 95 and NT (x86) --> "C:\Program Files\Sound Forge\UNINST32.EXE" C:\WINDOWS\FORGE32.INI
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
SPAMfighter --> "C:\Program Files\SPAMfighter\uninstall.exe" Remove
TC Web Conferencing --> iwexec.exe /R {8EB39AA7-4019-4550-AF6C-BE51BB27B446}
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Video Converter 3 --> C:\Program Files\Xilisoft\Video Converter 3\Uninstall.exe
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinBatch --> "C:\Program Files\WinBatch\System\uninstal.exe" 90 "C:\Program Files\WinBatch\System\WinBatch Setup.Log"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2406 / Error
Event Submitted/Written: 04/06/2008 08:44:51 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 9.0.0.3250, faulting module clvsd.ax, version 2.0.0.0, fault address 0x0001f615.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type2348 / Error
Event Submitted/Written: 04/05/2008 08:31:35 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module ctl3dv2h.dll, version 5.1.2600.0, fault address 0x000039db.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type2324 / Error
Event Submitted/Written: 04/03/2008 04:55:24 AM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (532) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type2323 / Error
Event Submitted/Written: 04/03/2008 04:55:14 AM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (880) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type2322 / Error
Event Submitted/Written: 04/03/2008 04:55:03 AM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (3224) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1022 / Error
Event Submitted/Written: 04/05/2008 11:27:34 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The System Restore Service service terminated with the following error:
%%2

Event Record #/Type1021 / Error
Event Submitted/Written: 04/05/2008 11:27:27 PM
Event ID/Source: 104 / SRService
Event Description:
The System Restore initialization process failed.

Event Record #/Type1018 / Error
Event Submitted/Written: 04/05/2008 11:26:31 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type933 / Warning
Event Submitted/Written: 04/05/2008 10:44:43 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "SAS window"

Event Record #/Type932 / Warning
Event Submitted/Written: 04/05/2008 10:44:42 PM / 04/05/2008 10:44:43 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.



-- End of Deckard's System Scanner: finished at 2008-04-06 11:57:06 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix report:

ComboFix 08-04-06.1 - Owner 2008-04-06 21:45:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.296 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\ctl3dv2h.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_erxufzvj
-------\Legacy_erxufzvj
-------\erxufzvj


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 11:56 . 2008-04-03 15:57 401,720 --a------ C:\Program Files\Owner.exe
2008-04-06 11:55 . 2008-04-06 11:55 <DIR> d-------- C:\Deckard
2008-04-05 23:05 . 2008-04-05 23:10 <DIR> d-------- C:\Program Files\WinBatch
2008-04-05 23:03 . 2008-04-05 23:10 <DIR> d-------- C:\Program Files\WinBatch_install
2008-04-05 23:03 . 2008-04-05 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-05 18:59 . 2008-04-05 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 18:59 . 2008-04-05 18:59 260 --a------ C:\WINDOWS\_delis32.ini
2008-04-05 18:47 . 2008-04-05 18:47 1,294 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 13:09 . 2006-10-18 15:53 36,373 --a------ C:\Program Files\ffunlock.exe
2008-04-05 13:08 . 2008-04-05 13:08 36,277 --a------ C:\Program Files\ffunlock.zip
2008-04-05 13:05 . 2005-05-25 13:17 25,600 --a------ C:\Program Files\md5.exe
2008-04-05 12:11 . 2008-04-05 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Desktopicon
2008-04-03 23:19 . 2008-04-03 23:19 36,608 --a------ C:\WINDOWS\system32\tcqdkpgy.dat
2008-04-03 23:19 . 2008-04-03 23:19 35,072 --a------ C:\WINDOWS\system32\zecobgkc.dat
2008-04-03 17:00 . 2008-04-03 17:00 164 --a------ C:\install.dat
2008-04-03 16:10 . 2008-04-06 11:16 <DIR> d-------- C:\Program Files\backups
2008-04-03 15:57 . 2008-04-03 15:57 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-04-03 14:20 . 2008-04-03 14:56 <DIR> d-------- C:\www.creativeconceptsinc.net
2008-04-03 13:39 . 2008-04-05 22:54 <DIR> d-------- C:\fixwareout
2008-04-03 13:39 . 2008-04-03 13:39 486,449 --a------ C:\Program Files\Fixwareout.exe
2008-04-03 11:29 . 2008-04-05 18:48 <DIR> d-------- C:\SmitfraudFix
2008-04-03 08:10 . 2008-04-03 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-02 23:16 . 2008-04-05 07:59 6,491,392 --a------ C:\WINDOWS\system32\dunmuqjn.dat
2008-04-02 23:16 . 2008-04-02 23:16 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-02 23:16 . 2008-04-02 23:16 638,208 --a------ C:\WINDOWS\system32\cjbhmtap.dat
2008-04-02 23:16 . 2008-04-02 23:16 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-02 23:16 . 2008-04-06 08:24 109,824 --a------ C:\WINDOWS\system32\aalztiwl.dat
2008-04-02 23:16 . 2008-04-02 23:16 42,752 --a------ C:\WINDOWS\system32\hkbzsfzh.dat
2008-04-02 22:42 . 2008-04-02 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 22:42 . 2008-04-03 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 22:14 . 2008-04-02 22:14 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-02 22:14 . 20,224 C:\WINDOWS\system32\drivers\yvmpostn.dat
2008-04-02 17:22 . 2008-04-06 21:49 81,920 --a------ C:\WINDOWS\system32\ctl3dv2h.dll
2008-04-02 17:21 . 2008-01-04 17:57 88,064 --a------ C:\WINDOWS\system32\DivXd.dll
2008-03-29 20:23 . 2008-03-29 20:23 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-03-29 20:23 . 2008-03-29 20:23 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-03-28 20:13 . 2008-03-28 20:13 <DIR> d-------- C:\Program Files\Ipswitch
2008-03-28 20:13 . 2005-02-28 12:37 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-03-28 20:13 . 2005-02-28 12:37 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-03-28 20:07 . 2008-03-28 20:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-03-11 16:53 . 2008-04-04 20:05 <DIR> d-------- C:\www.bannerexteriors.com
2008-03-10 07:30 . 2007-02-01 18:02 313,344 --a------ C:\Program Files\hjsplit.exe
2008-03-10 07:29 . 2008-03-10 07:29 304,957 --a------ C:\Program Files\hjsplit.zip
2008-03-07 18:56 . 2008-03-07 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-07 18:55 . 2008-03-07 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-07 18:55 . 2008-03-07 18:55 29 --a------ C:\WINDOWS\atid.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 15:56 2,634 ----a-w C:\Program Files\hijackthis.log
2008-04-06 02:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-06 02:42 --------- d-----w C:\Program Files\Symantec
2008-04-05 19:37 --------- d-----w C:\Program Files\NoAdware5.0
2008-04-05 16:32 532,480 ----a-w C:\Program Files\cwshredder.exe
2008-04-04 10:57 139,160 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-04 02:08 --------- d-----w C:\Program Files\Sound Forge
2008-04-03 02:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 04:05 --------- d-----w C:\Program Files\DivX
2008-03-21 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-07 19:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-02-29 13:43 --------- d-----w C:\Program Files\Google
2008-02-29 13:42 13,413,048 ----a-w C:\Program Files\Google_Earth_BZXV.exe
2008-02-27 20:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2008-02-17 12:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-02-15 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-02-15 22:15 --------- d-----w C:\Program Files\VideoLAN
2008-02-14 15:06 --------- d-----w C:\Program Files\uTorrent
2008-02-08 14:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-25 19:14 16,398,632 ----a-w C:\Program Files\Safari304BetaSecUpdateSetup.exe
2008-01-23 20:02 11,034,456 ----a-w C:\Program Files\gm5f_setup.exe
2007-11-30 21:14 3,961,790 ----a-w C:\Program Files\flashpoint.exe
2007-11-30 17:45 37,418,496 ----a-w C:\Program Files\camtasia.msi
2007-11-30 16:52 6,018,149 ----a-w C:\Program Files\PowerPoint-Flash-free-converter-download.exe
2007-11-30 15:13 23,510,720 ----a-w C:\Program Files\dotnetfx.exe
2007-11-30 14:25 1,941,504 ----a-w C:\Program Files\officetohtmlwizard.exe
2007-08-13 02:46 10,469,123 ----a-w C:\Program Files\FLV2Video_Setup.exe
2007-08-13 02:44 4,960,221 ----a-w C:\Program Files\RivaEncoderSetup.exe
2007-08-13 02:43 2,654,861 ----a-w C:\Program Files\KeepVFlashConverterSetup.exe
2007-07-01 14:31 1,420,928 ----a-w C:\Program Files\spamfighter_web.exe
2007-05-02 11:07 1,035,271 ----a-w C:\Program Files\wrar362.exe
2007-04-26 20:34 3,973,023 ----a-w C:\Program Files\xillisoft_dvdripper4.exe
2007-04-26 20:33 14,814,288 ----a-w C:\Program Files\xillisoft_converter3.exe
2007-04-24 00:32 3,478,790 ----a-w C:\Program Files\WebConferencePlugin.exe
2007-04-11 20:57 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-03-21 04:10 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-14 17:01 1,241,914 ----a-w C:\Program Files\DVDRegionFree59.exe
2007-01-25 22:04 1,902,704 ----a-w C:\Program Files\noadware.exe
2006-11-09 12:55 15,521,072 ----a-w C:\Program Files\IE7-WindowsXP-x86-enu.exe
2006-11-02 19:04 2,747,632 ----a-w C:\Program Files\cdlabel.exe
2006-10-18 19:54 3,454 ----a-w C:\Program Files\license.txt
2006-08-15 16:55 55 ----a-w C:\Program Files\DVDPATH.TXT
2006-05-30 18:02 2,805,203 ----a-w C:\Program Files\sprint32.zip
2005-05-25 22:35 2,751 ----a-w C:\Program Files\dellater.asm
2004-07-26 08:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2004-03-06 22:20 718,010 ----a-w C:\Program Files\DVDRegionFree33.exe
2004-03-06 22:20 241 ----a-w C:\Program Files\DVDRegionFree.REG
2004-02-20 21:44 490,608 ----a-w C:\Program Files\ie6setup.exe
2004-01-06 22:02 147,968 ----a-w C:\Program Files\QuickTimeUpdater.exe
2002-04-20 00:15 61 ----a-w C:\Program Files\adobe photoshop 7.0 serial.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F037D81-C739-4693-AB5B-A3A9679948FF}]
2008-04-06 21:49 81920 --a------ c:\windows\system32\ctl3dv2h.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FC734B8-547F-43E9-B169-6A74220C0259}]
2008-01-04 17:57 88064 --a------ C:\WINDOWS\system32\DivXd.dll

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 09:04 54936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-12-20 21:58 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopMenuStartUp exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenuStartUp exe.lnk
backup=C:\WINDOWS\pss\PopMenuStartUp exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8og78sz65o]
C:\WINDOWS\system32\8og78sz65o.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 06:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
--a------ 2003-05-15 20:36 446464 C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
--a------ 2007-06-25 15:03 481424 C:\Program Files\SPAMfighter\SFAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 jajwjfwn;jajwjfwn;C:\WINDOWS\system32\drivers\yvmpostn.dat []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc2-28dd-11dc-99a1-001111bd5d90}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc4-28dd-11dc-99a1-001111bd5d90}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 01:52:32 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:52:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jajwjfwn]
"ImagePath"="system32\drivers\yvmpostn.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
Completion time: 2008-04-06 21:59:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 01:59:04
Pre-Run: 35,332,247,552 bytes free
Post-Run: 35,289,468,928 bytes free
.
2008-04-03 14:25:31 --- E O F ---




HiJackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:08 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F037D81-C739-4693-AB5B-A3A9679948FF} - c:\windows\system32\ctl3dv2h.dll
O2 - BHO: (no name) - {2FC734B8-547F-43E9-B169-6A74220C0259} - C:\WINDOWS\system32\DivXd.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: trwvdinh - C:\WINDOWS\SYSTEM32\ctl3dv2h.dll

--
End of file - 2843 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Collect::
C:\WINDOWS\system32\ctl3dv2h.dll 
C:\Program Files\Owner.exe
C:\WINDOWS\_delis32.ini
C:\WINDOWS\system32\tcqdkpgy.dat
C:\WINDOWS\system32\zecobgkc.dat
C:\WINDOWS\system32\dunmuqjn.dat
C:\WINDOWS\system32\cjbhmtap.dat
C:\WINDOWS\system32\aalztiwl.dat
C:\WINDOWS\system32\hkbzsfzh.dat
C:\WINDOWS\system32\drivers\yvmpostn.dat
C:\WINDOWS\system32\DivXd.dll
C:\WINDOWS\system32\8og78sz65o.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F037D81-C739-4693-AB5B-A3A9679948FF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FC734B8-547F-43E9-B169-6A74220C0259}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8og78sz65o]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jajwjfwn]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\trwvdinh]
Driver::
jajwjfwn

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#9
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi kahdah,

I followed your instructions but after dragging the CFScript.txt into ComboFix.exe nothing happened... ComboFix started to load and the blue CombixFix window flashed up for a second and went away.... I waited over 30 minutes with no results or progress???
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
jajwjfwn

Files to delete:
C:\WINDOWS\system32\drivers\yvmpostn.dat
C:\WINDOWS\system32\ctl3dv2h.dll 
C:\Program Files\Owner.exe
C:\WINDOWS\_delis32.ini
C:\WINDOWS\system32\tcqdkpgy.dat
C:\WINDOWS\system32\zecobgkc.dat
C:\WINDOWS\system32\dunmuqjn.dat
C:\WINDOWS\system32\cjbhmtap.dat
C:\WINDOWS\system32\aalztiwl.dat
C:\WINDOWS\system32\hkbzsfzh.dat
C:\WINDOWS\system32\DivXd.dll
C:\WINDOWS\system32\8og78sz65o.exe

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8og78sz65o
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jajwjfwn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\trwvdinh
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F037D81-C739-4693-AB5B-A3A9679948FF}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FC734B8-547F-43E9-B169-6A74220C0259}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

Advertisements


#11
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
This might have worked (or at least removed the suspicious file)... but I wait to hear a confirmation on your end!!

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com


Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "jajwjfwn" deleted successfully.
File "C:\WINDOWS\system32\drivers\yvmpostn.dat" deleted successfully.
File "C:\WINDOWS\system32\ctl3dv2h.dll" deleted successfully.
File "C:\Program Files\Owner.exe" deleted successfully.
File "C:\WINDOWS\_delis32.ini" deleted successfully.
File "C:\WINDOWS\system32\tcqdkpgy.dat" deleted successfully.
File "C:\WINDOWS\system32\zecobgkc.dat" deleted successfully.
File "C:\WINDOWS\system32\dunmuqjn.dat" deleted successfully.
File "C:\WINDOWS\system32\cjbhmtap.dat" deleted successfully.
File "C:\WINDOWS\system32\aalztiwl.dat" deleted successfully.
File "C:\WINDOWS\system32\hkbzsfzh.dat" deleted successfully.
File "C:\WINDOWS\system32\DivXd.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\8og78sz65o.exe" not found!
Deletion of file "C:\WINDOWS\system32\8og78sz65o.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jajwjfwn" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jajwjfwn" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8og78sz65o" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\trwvdinh" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F037D81-C739-4693-AB5B-A3A9679948FF}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FC734B8-547F-43E9-B169-6A74220C0259}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:38 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab

--
End of file - 2418 bytes
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes it did remove the file but we aren't done yet :) \
==================================
Please run dss again and post the log it produces.
  • 0

#13
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-08 23:14:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:31 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab

--
End of file - 2465 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 23:14:13 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-07 07:57:47 0 d-------- C:\cmdcons
2008-04-06 21:59:11 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-06 21:45:15 68096 --a------ C:\WINDOWS\zip.exe
2008-04-06 21:45:15 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-06 21:45:15 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 21:45:15 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 21:45:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 21:45:15 98816 --a------ C:\WINDOWS\sed.exe
2008-04-06 21:45:15 80412 --a------ C:\WINDOWS\grep.exe
2008-04-06 21:45:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-05 23:05:50 0 d-------- C:\Program Files\WinBatch
2008-04-05 23:03:58 0 d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-04-05 23:03:33 0 d-------- C:\Program Files\WinBatch_install
2008-04-05 18:59:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-05 18:59:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 18:47:28 1294 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 13:09:06 36373 --a------ C:\Program Files\ffunlock.exe
2008-04-05 13:05:21 25600 --a------ C:\Program Files\md5.exe
2008-04-05 12:11:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Desktopicon
2008-04-05 08:52:12 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-05 08:52:12 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-05 08:52:12 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-05 08:52:12 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-05 08:52:12 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-05 08:52:12 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-05 08:52:11 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-05 08:52:11 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-05 08:52:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-05 08:52:11 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-03 17:00:37 164 --a------ C:\install.dat
2008-04-03 16:10:31 0 d-------- C:\Program Files\backups
2008-04-03 14:20:38 0 d-------- C:\www.creativeconceptsinc.net
2008-04-03 13:39:35 486449 --a------ C:\Program Files\Fixwareout.exe
2008-04-03 11:29:32 0 d-------- C:\SmitfraudFix
2008-04-03 08:10:54 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-02 22:42:45 0 d-------- C:\Program Files\Lavasoft
2008-04-02 22:42:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 22:14:10 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-03-29 20:23:58 0 d-------- C:\Program Files\SmartFTP Client
2008-03-29 20:23:38 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-03-28 20:13:22 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-03-28 20:13:22 0 d-------- C:\Program Files\Ipswitch
2008-03-28 20:07:14 0 d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-03-11 16:53:04 0 d-------- C:\www.bannerexteriors.com
2008-03-10 07:30:31 313344 --a------ C:\Program Files\hjsplit.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-08 23:14:31 2466 --a------ C:\Program Files\hijackthis.log
2008-04-07 16:33:53 140528 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-05 22:43:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-05 22:42:46 0 d-------- C:\Program Files\Symantec
2008-04-05 15:37:40 0 d-------- C:\Program Files\NoAdware5.0
2008-04-05 13:08:45 36277 --a------ C:\Program Files\ffunlock.zip
2008-04-05 13:01:37 0 d-------- C:\Program Files\Common Files
2008-04-05 12:32:13 532480 --a------ C:\Program Files\cwshredder.exe <Not Verified; Trend Micro Incorporated; CWShredder>
2008-04-03 22:08:21 0 d-------- C:\Program Files\Sound Forge
2008-04-02 22:54:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 13:10:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-22 00:05:03 0 d-------- C:\Program Files\DivX
2008-03-21 14:10:47 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-16 21:59:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-03-10 07:29:15 304957 --a------ C:\Program Files\hjsplit.zip
2008-03-07 18:55:39 335 --a------ C:\WINDOWS\nsreg.dat
2008-03-07 15:28:17 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-02-29 09:54:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-02-29 09:43:44 0 d-------- C:\Program Files\Google
2008-02-27 16:19:02 0 d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-02-21 07:40:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-17 08:45:50 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-02-15 18:17:33 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2008-02-15 18:15:41 0 d-------- C:\Program Files\VideoLAN
2008-02-14 11:06:01 0 d-------- C:\Program Files\uTorrent
2008-02-08 10:50:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-25 15:25:28 100172 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [12/20/2003 09:58 PM 49152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopMenuStartUp exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenuStartUp exe.lnk
backup=C:\WINDOWS\pss\PopMenuStartUp exe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
"C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"avg8wd"=2 (0x2)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
erxufzvj


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc2-28dd-11dc-99a1-001111bd5d90}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc4-28dd-11dc-99a1-001111bd5d90}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-08 23:15:08 ------------
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please delete your version of Combofix and then do the following:
===========================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

NetSvc::
erxufzvj


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#15
ailongam

ailongam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Combofix.txt

ComboFix 08-04-08.9 - Owner 2008-04-09 7:58:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.273 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 07:31 . 2008-04-09 07:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 07:31 . 2008-04-09 07:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 23:14 . 2008-04-03 15:57 401,720 --a------ C:\Program Files\Owner.exe
2008-04-06 11:55 . 2008-04-06 11:55 <DIR> d-------- C:\Deckard
2008-04-05 23:05 . 2008-04-05 23:10 <DIR> d-------- C:\Program Files\WinBatch
2008-04-05 23:03 . 2008-04-05 23:10 <DIR> d-------- C:\Program Files\WinBatch_install
2008-04-05 23:03 . 2008-04-05 23:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-05 18:59 . 2008-04-05 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-05 18:47 . 2008-04-05 18:47 1,294 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 13:09 . 2006-10-18 15:53 36,373 --a------ C:\Program Files\ffunlock.exe
2008-04-05 13:08 . 2008-04-05 13:08 36,277 --a------ C:\Program Files\ffunlock.zip
2008-04-05 13:05 . 2005-05-25 13:17 25,600 --a------ C:\Program Files\md5.exe
2008-04-05 12:11 . 2008-04-05 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Desktopicon
2008-04-03 17:00 . 2008-04-03 17:00 164 --a------ C:\install.dat
2008-04-03 16:10 . 2008-04-06 11:16 <DIR> d-------- C:\Program Files\backups
2008-04-03 15:57 . 2008-04-03 15:57 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-04-03 14:20 . 2008-04-03 14:56 <DIR> d-------- C:\www.creativeconceptsinc.net
2008-04-03 13:39 . 2008-04-05 22:54 <DIR> d-------- C:\fixwareout
2008-04-03 13:39 . 2008-04-03 13:39 486,449 --a------ C:\Program Files\Fixwareout.exe
2008-04-03 11:29 . 2008-04-05 18:48 <DIR> d-------- C:\SmitfraudFix
2008-04-03 08:10 . 2008-04-03 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-02 23:16 . 2008-04-02 23:16 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-02 23:16 . 2008-04-02 23:16 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-02 22:42 . 2008-04-02 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 22:42 . 2008-04-03 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 22:14 . 2008-04-02 22:14 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-03-29 20:23 . 2008-03-29 20:23 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-03-29 20:23 . 2008-03-29 20:23 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-03-28 20:13 . 2008-03-28 20:13 <DIR> d-------- C:\Program Files\Ipswitch
2008-03-28 20:13 . 2005-02-28 12:37 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-03-28 20:13 . 2005-02-28 12:37 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-03-28 20:07 . 2008-03-28 20:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-03-11 16:53 . 2008-04-07 14:51 <DIR> d-------- C:\www.bannerexteriors.com
2008-03-10 07:30 . 2007-02-01 18:02 313,344 --a------ C:\Program Files\hjsplit.exe
2008-03-10 07:29 . 2008-03-10 07:29 304,957 --a------ C:\Program Files\hjsplit.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 03:14 2,466 ----a-w C:\Program Files\hijackthis.log
2008-04-08 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-07 20:33 140,528 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 02:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-06 02:42 --------- d-----w C:\Program Files\Symantec
2008-04-05 19:37 --------- d-----w C:\Program Files\NoAdware5.0
2008-04-05 16:32 532,480 ----a-w C:\Program Files\cwshredder.exe
2008-04-04 02:08 --------- d-----w C:\Program Files\Sound Forge
2008-04-03 02:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 04:05 --------- d-----w C:\Program Files\DivX
2008-03-21 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-07 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-07 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-07 19:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-02-29 13:43 --------- d-----w C:\Program Files\Google
2008-02-29 13:42 13,413,048 ----a-w C:\Program Files\Google_Earth_BZXV.exe
2008-02-27 20:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2008-02-17 12:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-02-15 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-02-15 22:15 --------- d-----w C:\Program Files\VideoLAN
2008-02-14 15:06 --------- d-----w C:\Program Files\uTorrent
2008-01-25 19:14 16,398,632 ----a-w C:\Program Files\Safari304BetaSecUpdateSetup.exe
2008-01-23 20:02 11,034,456 ----a-w C:\Program Files\gm5f_setup.exe
2007-11-30 21:14 3,961,790 ----a-w C:\Program Files\flashpoint.exe
2007-11-30 17:45 37,418,496 ----a-w C:\Program Files\camtasia.msi
2007-11-30 16:52 6,018,149 ----a-w C:\Program Files\PowerPoint-Flash-free-converter-download.exe
2007-11-30 15:13 23,510,720 ----a-w C:\Program Files\dotnetfx.exe
2007-11-30 14:25 1,941,504 ----a-w C:\Program Files\officetohtmlwizard.exe
2007-08-13 02:46 10,469,123 ----a-w C:\Program Files\FLV2Video_Setup.exe
2007-08-13 02:44 4,960,221 ----a-w C:\Program Files\RivaEncoderSetup.exe
2007-08-13 02:43 2,654,861 ----a-w C:\Program Files\KeepVFlashConverterSetup.exe
2007-07-01 14:31 1,420,928 ----a-w C:\Program Files\spamfighter_web.exe
2007-05-02 11:07 1,035,271 ----a-w C:\Program Files\wrar362.exe
2007-04-26 20:34 3,973,023 ----a-w C:\Program Files\xillisoft_dvdripper4.exe
2007-04-26 20:33 14,814,288 ----a-w C:\Program Files\xillisoft_converter3.exe
2007-04-24 00:32 3,478,790 ----a-w C:\Program Files\WebConferencePlugin.exe
2007-04-11 20:57 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-03-21 04:10 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-14 17:01 1,241,914 ----a-w C:\Program Files\DVDRegionFree59.exe
2007-01-25 22:04 1,902,704 ----a-w C:\Program Files\noadware.exe
2006-11-09 12:55 15,521,072 ----a-w C:\Program Files\IE7-WindowsXP-x86-enu.exe
2006-11-02 19:04 2,747,632 ----a-w C:\Program Files\cdlabel.exe
2006-10-18 19:54 3,454 ----a-w C:\Program Files\license.txt
2006-08-15 16:55 55 ----a-w C:\Program Files\DVDPATH.TXT
2006-05-30 18:02 2,805,203 ----a-w C:\Program Files\sprint32.zip
2005-05-25 22:35 2,751 ----a-w C:\Program Files\dellater.asm
2004-07-26 08:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2004-03-06 22:20 718,010 ----a-w C:\Program Files\DVDRegionFree33.exe
2004-03-06 22:20 241 ----a-w C:\Program Files\DVDRegionFree.REG
2004-02-20 21:44 490,608 ----a-w C:\Program Files\ie6setup.exe
2004-01-06 22:02 147,968 ----a-w C:\Program Files\QuickTimeUpdater.exe
2002-04-20 00:15 61 ----a-w C:\Program Files\adobe photoshop 7.0 serial.txt
.

((((((((((((((((((((((((((((( [email protected]_21.58.52.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-07 01:42:28 458,048 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-08 01:41:46 461,232 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 09:04 54936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-12-20 21:58 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopMenuStartUp exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenuStartUp exe.lnk
backup=C:\WINDOWS\pss\PopMenuStartUp exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 06:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
--a------ 2003-05-15 20:36 446464 C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
--a------ 2007-06-25 15:03 481424 C:\Program Files\SPAMfighter\SFAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

S2 erxufzvj;Floppy Disk Controller Monitor;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc2-28dd-11dc-99a1-001111bd5d90}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f06c3dc4-28dd-11dc-99a1-001111bd5d90}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 11:20:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 08:02:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
Completion time: 2008-04-09 8:06:43
ComboFix-quarantined-files.txt 2008-04-09 12:06:35
ComboFix2.txt 2008-04-07 01:59:10
Pre-Run: 35,122,573,312 bytes free
Post-Run: 35,111,505,920 bytes free
.
2008-04-03 14:25:31 --- E O F ---



HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:19 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1177605102515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177606220060
O16 - DPF: {73F7A062-8829-11D1-B550-006097242D8D} (Voxware MetaSound Audio Decoder) - http://support.ninth...lers/voxacm.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab

--
End of file - 2385 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP