Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware, adware issue

Started by walton74 , Apr 07 2008 01:10 AM

  • Please log in to reply

#1
walton74
Posted 07 April 2008 - 01:10 AM

walton74

    Member

  • Member
  • PipPip
  • 18 posts
Greetings,

I just joined the site and have gone through a few of the posts and resolutions and haven't been able to find one that exactly matches my issue so I hope that someone will please assist me with getting rid of the problems that I am encountering.
I was on myspace and checked a users page who requested to be my friend when a windows security box popped up and it really seemed to be my security center so I clicked on it to download an update. Since that point I have been getting the yellow triangle with the exclamation point stating that my pc has spyware and one that says you pc is running slowly as well as internet attack attempt detected. I have clicked the box before and a site comes up on IE which says about:security I right clicked to get the url and it says livesecuritycenter.com/?aid-373.0. I also get pop ups saying that I have been infected with stc loader.exe 2nd Thought, 180 Solutions, trojan downloader.xs, and tx4 browserad adware.
I have attempted to remove the 180 solutions program, the 180search assistant, and internet explorer but they replace themselves. I even used instructions from another site which gave a list of files to remove and they come back as well. I have run my Norton and it finds nothing, I have run windows defender, the malicious removal tool, avg free spyware, I tried changing the registry so that I could enter the task manager and it changes back to 1. I have a desktop screen that leads to the livesecurity page as well. I attempted to delete the desktop from the drive and it replaces itself. I have firefox installed but just cannot get rid of IE to see if the malware is attached to it. Please assist me with this issue. Your help will be gladly appreciated.
  • 0

Advertisements

#2
koko_crunch
Posted 07 April 2008 - 02:14 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello walton74 and Welcome to Geeks to Go!

Could you please post with a HijackThis log so we can have a better look at your system.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
walton74
Posted 07 April 2008 - 06:09 PM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I read the do this first and forgot to save my AVG report log but here is the Super Antispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2008 at 06:30 PM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 01:07:59

Memory items scanned : 415
Memory threats detected : 0
Registry items scanned : 5552
Registry threats detected : 6
File items scanned : 66267
File threats detected : 11

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango

Adware.180solutions/Seekmo
C:\Program Files\Seekmo\seekmohook.dll
C:\Program Files\Seekmo

Trojan.FakeDrop-180AX
C:\WINDOWS\180AX.EXE
C:\WINDOWS\FLEOK\180AX.EXE

Trojan.FakeDrop-2020Search
C:\WINDOWS\2020SEARCH2.DLL

Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE

Trojan.Unclassified/NTNut32
C:\WINDOWS\SYSTEM32\NTNUT32.EXE
  • 0

#4
walton74
Posted 07 April 2008 - 06:12 PM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here is the highjack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:05 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\winself.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200846102815_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: bafdcfbdebceb - C:\WINDOWS\system32\bafdcfbdebceb.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSysInterv - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11554 bytes
  • 0

#5
koko_crunch
Posted 08 April 2008 - 12:21 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Thank you for the logs. :)

Now let's start removing those infections.

Please read this post completely before proceeding. If you have questions, please don't hesitate to ask.


First, please

1. Download SDFix and save it to your Desktop.

2. Download VundoFix.exe to your desktop



Then, please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.



Next,

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum



Finally,

lease download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Logs required on next post.
Please make sure your post doesn't get cut off.

- SDFIX log
- Vundofix log
- New HijackThis log
  • 0

#6
walton74
Posted 08 April 2008 - 02:07 AM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here are the SDFix Logs:


SDFix: Version 1.167
Run by Owner on Tue 04/08/2008 at 03:45 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 03:52:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

C:\WINDOWS\default.htm Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 15 Jan 2006 6,327 A..H. --- "C:\My Backup -- 28-02-08 0923\temp\t4.bak"
Wed 30 Jun 2004 156,784 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0\aoltray.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0b\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0b\rbm.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0c\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0c\rbm.exe"
Fri 19 Nov 2004 54,872 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0d\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\My Backup -- 28-02-08 0923\Program Files\America Online 9.0d\rbm.exe"
Sat 29 Jan 2005 0 A.SH. --- "C:\My Backup -- 28-02-08 0923\WINDOWS\SMINST\HPCD.sys"
Fri 4 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Jan 2005 4,348 ..SH. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 31 Jan 2005 401 ..SH. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\All Users\DRM\DRMv18.bak"
Mon 31 Jan 2005 4,348 ...H. --- "C:\My Backup -- 28-02-08 0923\RECYCLER\S-1-5-21-4164904192-33914520-2133651516-1003\Dc9\drmv1key.bak"
Mon 31 Jan 2005 401 A..H. --- "C:\My Backup -- 28-02-08 0923\RECYCLER\S-1-5-21-4164904192-33914520-2133651516-1003\Dc9\drmv1lic.bak"
Mon 31 Jan 2005 312 ...H. --- "C:\My Backup -- 28-02-08 0923\RECYCLER\S-1-5-21-4164904192-33914520-2133651516-1003\Dc9\drmv2key.bak"
Mon 31 Jan 2005 1,536 A..H. --- "C:\My Backup -- 28-02-08 0923\RECYCLER\S-1-5-21-4164904192-33914520-2133651516-1003\Dc9\drmv2lic.bak"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"
Fri 27 Oct 2006 19,456 ...H. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0003.tmp"
Fri 27 Oct 2006 19,456 ...H. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 27 Oct 2006 19,456 ...H. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1765.tmp"
Fri 27 Oct 2006 19,456 ...H. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1795.tmp"
Sun 6 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch1\lock.tmp"
Sun 6 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch2\lock.tmp"
Sun 6 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch3\lock.tmp"
Sun 6 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch4\lock.tmp"
Sun 6 Apr 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch5\lock.tmp"
Sun 3 Apr 2005 8 A..H. --- "C:\My Backup -- 28-02-08 0923\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!
  • 0

#7
walton74
Posted 08 April 2008 - 02:24 AM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
There were no files found in the Vundo, here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:53 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\winself.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200846102815_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: bafdcfbdebceb - C:\WINDOWS\system32\bafdcfbdebceb.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSysInterv - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11286 bytes
  • 0

#8
koko_crunch
Posted 08 April 2008 - 03:25 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Some nasties didn't go. Let's use a different tool. :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#9
walton74
Posted 08 April 2008 - 02:25 PM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here's the combofix:

ComboFix 08-04-08.4 - Owner 2008-04-08 16:05:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 04:08 . 2008-04-08 04:08 <DIR> d-------- C:\VundoFix Backups
2008-04-08 03:51 . 2008-04-08 03:51 29,696 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-08 03:42 . 2008-04-08 03:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 03:17 . 2008-04-08 03:56 <DIR> d-------- C:\SDFix
2008-04-07 15:20 . 2008-04-07 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 15:19 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-07 15:19 . 2008-02-28 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-07 15:19 . 2008-02-28 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-04-07 03:14 . 2008-04-07 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 02:55 . 2008-04-07 03:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 02:55 . 2008-04-07 02:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 02:55 . 2008-04-07 02:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-06 17:57 . 2008-04-06 17:57 4,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-06 10:35 . 2008-04-08 03:51 <DIR> d-------- C:\WINDOWS\FLEOK
2008-04-06 10:34 . 2008-04-06 10:34 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-05 21:39 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-04-05 21:38 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-04-05 21:34 . 2007-07-06 15:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-04-05 21:31 . 2007-03-29 08:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-05 21:31 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-04-05 21:06 . 2008-04-07 19:23 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-05 21:03 . 2008-04-06 10:33 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-05 15:00 . 2008-04-05 15:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-05 15:00 . 2008-04-05 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 15:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 13:42 . 2008-04-05 13:42 91,563 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-04-05 13:42 . 2008-04-05 13:42 91,563 --a------ C:\WINDOWS\lfn.exe
2008-04-05 12:41 . 2008-04-05 12:41 20,992 --a------ C:\WINDOWS\winself.exe
2008-04-05 12:41 . 2008-04-07 17:03 200 -r-hs---- C:\WINDOWS\mscon.sio
2008-04-05 12:41 . 2008-04-07 17:03 16 -r-hs---- C:\WINDOWS\conf.inf
2008-04-05 12:41 . 2008-04-08 03:28 12 --------- C:\WINDOWS\ky.sxc
2008-04-04 17:14 . 2008-04-06 18:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-04 16:58 . 2008-04-04 16:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-04 16:58 . 2008-04-04 17:05 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 15:16 . 2008-04-03 15:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-04-03 03:16 . 2008-04-07 04:22 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-04-02 22:25 . 2004-08-04 15:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-04-02 18:23 . 2008-04-02 18:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-04-02 18:23 . 2008-04-02 18:23 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-01 11:24 . 2008-04-01 11:24 268 --ah----- C:\sqmdata00.sqm
2008-04-01 11:24 . 2008-04-01 11:24 244 --ah----- C:\sqmnoopt00.sqm
2008-03-09 13:33 . 2008-04-04 15:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-09 13:31 . 2008-03-09 13:31 <DIR> d-------- C:\Program Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 19:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 02:04 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-06 14:33 --------- d-----w C:\Program Files\Real
2008-04-05 06:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-09 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-09 17:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-09 16:58 --------- d-----w C:\Program Files\Ahead
2008-03-09 16:55 --------- d-----w C:\Program Files\Java
2008-03-05 02:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-05 02:53 --------- d-----w C:\Program Files\Common Files\Real
2008-03-04 01:09 --------- d-----w C:\Program Files\Windows Live
2008-03-03 08:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-03 01:31 --------- d-----w C:\Program Files\Google
2008-03-02 21:55 --------- d-----w C:\Program Files\LimeWire
2008-03-02 21:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 21:20 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-02 21:19 --------- d-----w C:\Program Files\Windows Live Favorites
2008-03-02 21:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 21:10 --------- d-----w C:\Program Files\MySpace
2008-03-02 21:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-02 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-29 08:02 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-29 06:50 --------- d-----w C:\Program Files\Pure Networks
2008-02-29 06:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-29 03:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 02:56 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-29 02:56 --------- d-----w C:\Program Files\BigFix
2008-02-29 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-29 02:29 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-28 20:59 --------- d-----w C:\Program Files\Intel
2008-02-28 20:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-28 19:51 --------- d-----w C:\Program Files\SymNetDrv
2008-02-28 19:51 --------- d-----w C:\Program Files\Symantec
2008-02-28 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-28 16:48 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-28 16:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-28 16:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 16:46 --------- d-----w C:\Program Files\CyberLink
2008-02-28 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-28 16:45 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-02-28 16:43 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-02-28 16:43 --------- d-----w C:\Program Files\QuickTime
2008-02-28 16:43 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-02-28 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-28 16:41 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-02-28 16:41 --------- d-----w C:\Program Files\Microsoft Money
2008-02-28 16:40 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-28 16:40 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-02-28 16:39 --------- d-----w C:\Program Files\Common Files\New Boundary
2008-02-28 16:39 --------- d-----w C:\Program Files\Common Files\Java
2008-02-28 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prism Deploy
2008-02-01 16:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
2007-12-17 12:12 56360 --a------ C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 14:23 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2004-08-04 15:00 77891]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 05:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 05:50 843776 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 05:50 81920]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 00:51 131072]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 18:05 135168]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-28 15:51 100056]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 12:12 243240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-04 22:51 185896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 14:53]
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [2007-12-17 12:13]
R2 MSSysInterv;MSSysInterv;C:\WINDOWS\winself.exe service []
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 17:28]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2007-12-20 17:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 20:06:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-28 16:55:52 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-04-05 02:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 16:09:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 16:10:38
ComboFix-quarantined-files.txt 2008-04-08 20:10:24
Pre-Run: 53,137,797,120 bytes free
Post-Run: 53,130,866,688 bytes free
.
2008-04-06 21:09:41 --- E O F ---


Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:30 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\winself.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSysInterv - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 11444 bytes
  • 0

#10
koko_crunch
Posted 09 April 2008 - 01:40 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
It took care of some but not all.

Please read this post completely before proceeding with the fix. If you have questions, please don't hesitate to ask. :)

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Followed by,


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\mscon.sio
C:\WINDOWS\conf.inf
C:\WINDOWS\ky.sxc
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\Tasks\ISP signup reminder 3.job

Folder::
C:\WINDOWS\FLEOK

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSysInterv]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .
  • New HijackThis log

Edited by koko_crunch, 09 April 2008 - 01:41 AM.
EDIT---

  • 0

Advertisements

#11
walton74
Posted 09 April 2008 - 02:43 AM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I think you've done it. The message and link are gone from my desktop and I have not seen a pop up nor yellow triangle yet. Here is the the Combofix.txt:

ComboFix 08-04-08.4 - Owner 2008-04-09 4:04:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\conf.inf
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Tasks\ISP signup reminder 3.job
C:\WINDOWS\winself.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\conf.inf
C:\WINDOWS\default.htm
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Tasks\ISP signup reminder 3.job
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSysInterv
-------\MSSysInterv


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 04:08 . 2008-04-08 04:08 <DIR> d-------- C:\VundoFix Backups
2008-04-08 03:42 . 2008-04-08 03:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 03:17 . 2008-04-08 03:56 <DIR> d-------- C:\SDFix
2008-04-07 15:20 . 2008-04-07 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 15:19 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-07 15:19 . 2008-02-28 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-07 15:19 . 2008-02-28 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-04-07 03:14 . 2008-04-07 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 02:55 . 2008-04-07 03:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 02:55 . 2008-04-07 02:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 02:55 . 2008-04-07 02:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-06 17:57 . 2008-04-06 17:57 4,180 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-06 10:34 . 2008-04-06 10:34 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-05 21:39 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-04-05 21:38 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-04-05 21:34 . 2007-07-06 15:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-04-05 21:31 . 2007-03-29 08:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-05 21:31 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-04-05 21:06 . 2008-04-09 02:20 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-05 21:03 . 2008-04-06 10:33 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-05 15:00 . 2008-04-05 15:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-05 15:00 . 2008-04-05 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 15:00 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-05 13:42 . 2008-04-05 13:42 91,563 --a------ C:\WINDOWS\lfn.exe
2008-04-04 17:14 . 2008-04-06 18:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-04 16:58 . 2008-04-04 16:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-04 16:58 . 2008-04-04 17:05 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 15:16 . 2008-04-03 15:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-04-03 03:16 . 2008-04-07 04:22 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-04-02 22:25 . 2004-08-04 15:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-04-02 18:23 . 2008-04-02 18:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-04-02 18:23 . 2008-04-02 18:23 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-03-09 13:33 . 2008-04-04 15:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-09 13:31 . 2008-03-09 13:31 <DIR> d-------- C:\Program Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 21:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-04-08 19:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 02:04 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-06 14:33 --------- d-----w C:\Program Files\Real
2008-03-09 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-09 17:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-09 16:58 --------- d-----w C:\Program Files\Ahead
2008-03-09 16:55 --------- d-----w C:\Program Files\Java
2008-03-05 02:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-05 02:53 --------- d-----w C:\Program Files\Common Files\Real
2008-03-04 01:09 --------- d-----w C:\Program Files\Windows Live
2008-03-03 08:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-03 01:31 --------- d-----w C:\Program Files\Google
2008-03-02 21:55 --------- d-----w C:\Program Files\LimeWire
2008-03-02 21:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 21:20 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-02 21:19 --------- d-----w C:\Program Files\Windows Live Favorites
2008-03-02 21:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 21:10 --------- d-----w C:\Program Files\MySpace
2008-03-02 21:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-02 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-29 08:02 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-29 06:50 --------- d-----w C:\Program Files\Pure Networks
2008-02-29 06:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-29 03:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 02:56 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-29 02:56 --------- d-----w C:\Program Files\BigFix
2008-02-29 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-29 02:29 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Symantec
2008-02-28 20:59 --------- d-----w C:\Program Files\Intel
2008-02-28 20:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-28 19:51 --------- d-----w C:\Program Files\SymNetDrv
2008-02-28 19:51 --------- d-----w C:\Program Files\Symantec
2008-02-28 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-28 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-28 16:48 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-28 16:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-28 16:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 16:46 --------- d-----w C:\Program Files\CyberLink
2008-02-28 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-28 16:45 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-02-28 16:43 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-02-28 16:43 --------- d-----w C:\Program Files\QuickTime
2008-02-28 16:43 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-02-28 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-28 16:41 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-02-28 16:41 --------- d-----w C:\Program Files\Microsoft Money
2008-02-28 16:40 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-28 16:40 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-02-28 16:39 --------- d-----w C:\Program Files\Common Files\New Boundary
2008-02-28 16:39 --------- d-----w C:\Program Files\Common Files\Java
2008-02-28 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prism Deploy
2008-02-01 16:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
.

((((((((((((((((((((((((((((( snapshot@2008-04-08_16.09.57.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-12-07 01:07:12 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 19:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-06 13:07:07 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-12-07 01:07:12 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 14:37:14 3,059,200 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 01:07:13 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 19:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 01:07:14 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 19:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-04 06:56:03 147,608 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-09 00:15:39 147,608 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 12:30:56 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 19:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 01:07:14 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
2007-12-17 12:12 56360 --a------ C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 14:23 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2004-08-04 15:00 77891]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 05:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 05:50 843776 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 05:50 81920]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 00:51 131072]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 18:05 135168]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-28 15:51 100056]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 12:12 243240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-04 22:51 185896]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 14:53]
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [2007-12-17 12:13]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 17:28]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2007-12-20 17:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 08:06:10 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-05 02:02:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 04:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-04-09 4:35:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 08:34:43
ComboFix2.txt 2008-04-08 20:10:41
Pre-Run: 53,252,313,088 bytes free
Post-Run: 53,194,407,936 bytes free
.
2008-04-08 22:06:13 --- E O F ---


Here is the Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:43 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 10164 bytes

I thank you sincerely and I will be sure to donate when I can. I love this stuff and would love to learn to help others the way you have helped me can you teach me some tricks or some good things to know. I know you don't have the time to get into all of the complicated things but maybe some of the simpler stuff and I will help people here as much as I can. Thank you so very much. GOD bless you. Thank You
  • 0

#12
koko_crunch
Posted 09 April 2008 - 03:11 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hold your horses, we're not done yet. We still have to do some check... :)

First,

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Then,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post back with

-superantispyware log
-DSS log main and extra
  • 0

#13
walton74
Posted 10 April 2008 - 06:52 PM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here is the Main.txt log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-10 20:35:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-04-11 00:35:36 UTC - RP8 - Deckard's System Scanner Restore Point
6: 2008-04-10 08:12:13 UTC - RP7 - System Checkpoint
5: 2008-04-09 08:03:41 UTC - RP6 - ComboFix created restore point
4: 2008-04-08 22:01:10 UTC - RP5 - Software Distribution Service 3.0
3: 2008-04-08 20:04:53 UTC - RP4 - ComboFix created restore point


-- First Restore Point --
1: 2008-04-07 18:54:55 UTC - RP2 - Good restore


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:33 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 10030 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\backups\) ---------------

backup-20080408-032720-191 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080408-032720-213 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080408-032720-329 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080408-032720-374 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080408-032720-382 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080408-032720-433 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080408-032720-462 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080408-032720-516 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080408-032720-541 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080408-032720-555 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080408-032720-594 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080408-032720-688 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080408-032720-698 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080408-032720-750 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20080408-032720-793 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080408-032720-812 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080408-032720-890 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20080408-032720-927 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080409-035941-148 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080409-035941-268 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080409-035941-406 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
backup-20080409-035941-415 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080409-035941-543 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080409-035941-600 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080409-035941-614 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080409-035941-778 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080409-035941-801 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080409-035941-866 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080409-035941-873 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080409-035942-337 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080409-035942-407 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080409-035942-615 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080409-035942-821 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080409-035942-981 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 20:06:03 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-04-04 22:02:21 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job


-- Files created between 2008-03-10 and 2008-04-10 -----------------------------

2008-04-09 04:35:24 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-08 16:04:12 68096 --a------ C:\WINDOWS\zip.exe
2008-04-08 16:04:12 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-08 16:04:12 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-08 16:04:12 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-08 16:04:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-08 16:04:12 98816 --a------ C:\WINDOWS\sed.exe
2008-04-08 16:04:12 80412 --a------ C:\WINDOWS\grep.exe
2008-04-08 16:04:12 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-08 04:08:03 0 d-------- C:\VundoFix Backups
2008-04-08 03:42:51 0 d-------- C:\WINDOWS\ERUNT
2008-04-07 15:20:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 15:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-04-07 15:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-07 15:19:21 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-07 15:19:21 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-07 15:19:21 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-07 15:19:21 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-07 15:19:21 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-07 15:19:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-07 15:19:21 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-07 15:19:20 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-07 15:19:20 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-07 15:19:20 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-07 15:19:20 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-07 15:19:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-07 15:19:20 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-07 15:19:20 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-07 15:19:20 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-07 15:19:18 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-07 03:14:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 02:55:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 02:55:52 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-07 02:55:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 10:34:16 0 d-------- C:\WINDOWS\system32\bits
2008-04-06 10:17:40 0 d-------- C:\WINDOWS\pss
2008-04-05 21:06:29 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-05 21:06:04 0 d-------- C:\127b4ffeef588c701a9d90
2008-04-05 21:03:14 0 d-------- C:\Program Files\Windows Defender
2008-04-05 15:00:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-05 15:00:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 14:13:54 28928 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-05 14:13:53 31744 --a------ C:\WINDOWS\msapasrc.dll
2008-04-05 14:13:53 14592 --a------ C:\WINDOWS\msa64chk.dll
2008-04-05 14:13:52 21248 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-05 14:13:52 11520 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-05 14:13:52 25856 --a------ C:\WINDOWS\shdocpl.dll
2008-04-05 14:13:52 18176 --a------ C:\WINDOWS\ntnut.exe
2008-04-05 14:13:51 31232 --a------ C:\WINDOWS\winsb.dll
2008-04-05 14:13:51 20480 --a------ C:\WINDOWS\shdocpe.dll
2008-04-05 14:13:51 17152 --a------ C:\WINDOWS\browserad.dll
2008-04-05 14:13:51 29184 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-05 14:13:50 12800 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-05 14:13:50 24320 --a------ C:\WINDOWS\avifile32.dll
2008-04-05 14:13:50 11264 --a------ C:\WINDOWS\autodisc32.dll
2008-04-05 14:13:50 12544 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-05 14:13:50 22016 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-05 14:13:50 23040 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-05 14:13:49 20480 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-05 14:13:49 15872 --a------ C:\WINDOWS\athprxy32.dll
2008-04-05 14:13:49 26368 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-05 14:13:49 10752 --a------ C:\WINDOWS\asferror32.dll
2008-04-05 14:13:49 25344 --a------ C:\WINDOWS\apphelp32.dll
2008-04-05 13:42:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-05 13:42:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-05 13:42:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-04-05 13:42:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-05 13:42:47 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-05 13:42:43 91563 -----n--- C:\WINDOWS\lfn.exe
2008-04-04 17:14:13 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-04 16:58:43 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-04 16:58:43 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-03 15:16:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-04-02 18:23:50 0 d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-04-02 18:23:08 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-09 13:09:34 0 d-------- C:\Program Files\Common Files
2008-04-08 17:46:52 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-04-08 15:52:38 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-07 13:09:38 2158 --a------ C:\WINDOWS\mozver.dat
2008-04-06 22:04:50 0 d-------- C:\Program Files\Norton AntiVirus
2008-04-06 10:33:25 0 d-------- C:\Program Files\Real
2008-04-04 17:25:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-04-04 15:59:54 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-09 15:44:08 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-09 13:31:29 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-09 13:31:28 0 d-------- C:\Program Files\Nero
2008-03-09 12:58:48 0 d-------- C:\Program Files\Ahead
2008-03-09 12:55:33 0 d-------- C:\Program Files\Java
2008-03-08 21:21:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-04 22:54:25 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-04 22:53:24 0 d-------- C:\Program Files\Common Files\Real
2008-03-03 21:09:56 0 d-------- C:\Program Files\Windows Live
2008-03-03 04:00:36 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-02 21:31:45 0 d-------- C:\Program Files\Google
2008-03-02 18:29:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-03-02 17:55:16 0 d-------- C:\Program Files\LimeWire
2008-03-02 17:20:59 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-02 17:20:43 0 d-------- C:\Program Files\Windows Live Toolbar
2008-03-02 17:19:26 0 d-------- C:\Program Files\Windows Live Favorites
2008-03-02 17:11:31 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 17:10:14 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-02 17:10:09 0 d-------- C:\Program Files\MySpace
2008-02-29 04:22:02 0 d-------- C:\Program Files\Messenger
2008-02-29 04:02:10 0 d-------- C:\Program Files\MSXML 4.0
2008-02-29 02:50:45 0 d-------- C:\Program Files\Pure Networks
2008-02-29 02:47:11 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-28 23:47:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-28 23:47:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-02-28 22:56:14 0 d-------- C:\Program Files\BigFix
2008-02-28 22:56:03 0 d-------- C:\Program Files\Common Files\AOL
2008-02-28 22:40:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-28 16:59:07 0 d-------- C:\Program Files\Intel
2008-02-28 16:57:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-28 15:51:39 0 d-------- C:\Program Files\Symantec
2008-02-28 15:51:13 0 d-------- C:\Program Files\SymNetDrv
2008-02-28 15:48:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-02-28 12:49:53 0 d-------- C:\Documents and Settings\Owner\Application Data\SampleView
2008-02-28 12:48:34 0 d-------- C:\Program Files\Digital Media Reader
2008-02-28 12:48:23 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-28 12:46:15 0 d-------- C:\Program Files\CyberLink
2008-02-28 12:46:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-28 12:45:36 0 d-------- C:\Program Files\Microsoft Works
2008-02-28 12:43:43 0 d-------- C:\Program Files\QuickTime
2008-02-28 12:43:34 0 d-------- C:\Program Files\Common Files\Nullsoft
2008-02-28 12:42:37 335 --a------ C:\WINDOWS\nsreg.dat
2008-02-28 12:41:38 0 d-------- C:\Program Files\Microsoft Money
2008-02-28 12:41:05 0 d-------- C:\Program Files\MSN Encarta Plus
2008-02-28 12:40:57 0 d-------- C:\Program Files\NVIDIA Corporation
2008-02-28 12:40:57 0 d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-02-28 12:39:36 0 d-------- C:\Program Files\Common Files\Java
2008-02-28 12:39:31 0 d-------- C:\Program Files\Common Files\New Boundary
2008-02-28 12:23:43 60 --a------ C:\MOVE_RECOVERY
2008-02-01 12:11:10 586240 --a------ C:\WINDOWS\WLXPGSS.SCR <Not Verified; Microsoft Corporation; Windows Live Photo Gallery>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
12/17/2007 12:12 PM 56360 --a------ C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [08/04/2004 03:00 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 04:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/12/2004 05:50 AM]
"nwiz"="nwiz.exe" [07/12/2004 05:50 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/12/2004 05:50 AM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/04/2004 12:51 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 11:42 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [10/18/2004 06:05 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [02/28/2008 03:51 PM]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [12/17/2007 12:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/04/2008 10:51 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [01/22/2008 07:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 04:32 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/05/2008 02:23 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [10/28/2005 04:25 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-10 20:48:27 ------------



Here's the extra.txt log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ 3000+
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 447.48 MiB / 111.74 MiB
Pagefile Memory (total/avail): 1057.42 MiB / 466.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.95 MiB

C: is Fixed (NTFS) - 69.57 GiB total, 49.5 GiB free.
D: is Fixed (FAT32) - 4.95 GiB total, 2.87 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHA0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 69.57 GiB - C:
\PARTITION1 - Unknown - 4.96 GiB - D:

\\.\PHYSICALDRIVE1 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
FW: Windows Live OneCare Firewall v1.0.0 (Microsoft Corporation)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation)
AV: Windows Live OneCare v1.0.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PISTOL357
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\PISTOL357
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=PISTOL357
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GTOneCare --> MsiExec.exe /X{72690A58-4C2A-4CDE-928C-DF925B125F43}
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Network Connections 12.4.38.0 --> MsiExec.exe /i{888D0F50-FF0A-4808-966E-23D63277BF2A} ARPREMOVE=1
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Protection Service --> MsiExec.exe /I{85CFDC2D-710E-49D5-B799-F3743CA506BA}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Live OneCare Resources v2.0.2500.22 --> MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
Microsoft Windows OneCare Live AntiSpyware and AntiVirus --> MsiExec.exe /I{E6A31482-989E-4E3C-B0C0-1ED4DBD5BC83}
Microsoft Windows OneCare Live v2.0.2500.22 --> MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
Microsoft Windows OneCare Live v2.0.2500.22 Idcrl Install --> MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 7 Demo --> MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\setup.exe" -uninstall
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PX Engine --> MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare --> "C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
Windows Live OneCare Family Safety --> MsiExec.exe /X{3403CB31-D7C1-43F4-9D2F-579758C0CF09}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1933 / Error
Event Submitted/Written: 04/10/2008 08:22:44 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Norton AntiVirus 2005 -- Norton AntiVirus 2005 does not support the Repair feature, please uninstall and reinstall.

Event Record #/Type1932 / Warning
Event Submitted/Written: 04/10/2008 08:22:43 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{C6F5B6CF-609C-428E-876F-CA83176C021B}', feature 'Complete' failed during request for component '{6EA56B47-0667-460E-A91B-53AA80E3616D}'

Event Record #/Type1931 / Warning
Event Submitted/Written: 04/10/2008 08:22:43 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{C6F5B6CF-609C-428E-876F-CA83176C021B}', feature 'Complete', component '{6DD22B40-C9AA-4632-A6C3-F364E77568C0}' failed. The resource 'C:\Program Files\Norton AntiVirus\Quarantine\Portal\' does not exist.

Event Record #/Type1929 / Error
Event Submitted/Written: 04/10/2008 08:22:43 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Norton AntiVirus 2005 -- Norton AntiVirus 2005 does not support the Repair feature, please uninstall and reinstall.

Event Record #/Type1928 / Warning
Event Submitted/Written: 04/10/2008 08:22:41 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{C6F5B6CF-609C-428E-876F-CA83176C021B}', feature 'Complete' failed during request for component '{6EA56B47-0667-460E-A91B-53AA80E3616D}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4722 / Warning
Event Submitted/Written: 04/10/2008 08:32:58 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4720 / Warning
Event Submitted/Written: 04/10/2008 08:12:07 PM
Event ID/Source: 3004 / OneCareMP
Event Description:
%NT AUTHORITY29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %NT AUTHORITY29 can't undo changes that you allow.

For more information please see the following:
%NT AUTHORITY295

Scan ID: {97467A35-EC50-48F5-AE3D-C706BA09E103}

Agent: %NT AUTHORITY43

User: NT AUTHORITY\SYSTEM

Name: %NT AUTHORITY291

ID: %NT AUTHORITY292

Severity: 1.5.1944.05

Category: 1.5.1944.06

Path Found: %NT AUTHORITY296

Alert Type: %NT AUTHORITY298

Process Name: C:\WINDOWS\system32\svchost.exe

Detection Type: 1.5.1944.02

Status: 1.5.1944.00

Event Record #/Type4719 / Warning
Event Submitted/Written: 04/10/2008 07:12:07 PM
Event ID/Source: 3004 / OneCareMP
Event Description:
%NT AUTHORITY29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %NT AUTHORITY29 can't undo changes that you allow.

For more information please see the following:
%NT AUTHORITY295

Scan ID: {3C7AF1B4-7279-4F32-9397-15DAC3CA3854}

Agent: %NT AUTHORITY43

User: NT AUTHORITY\SYSTEM

Name: %NT AUTHORITY291

ID: %NT AUTHORITY292

Severity: 1.5.1944.05

Category: 1.5.1944.06

Path Found: %NT AUTHORITY296

Alert Type: %NT AUTHORITY298

Process Name: C:\WINDOWS\system32\svchost.exe

Detection Type: 1.5.1944.02

Status: 1.5.1944.00

Event Record #/Type4718 / Warning
Event Submitted/Written: 04/10/2008 06:12:06 PM
Event ID/Source: 3004 / OneCareMP
Event Description:
%NT AUTHORITY29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %NT AUTHORITY29 can't undo changes that you allow.

For more information please see the following:
%NT AUTHORITY295

Scan ID: {7D8E34A4-F0EC-4990-B64F-683F424B894A}

Agent: %NT AUTHORITY43

User: NT AUTHORITY\SYSTEM

Name: %NT AUTHORITY291

ID: %NT AUTHORITY292

Severity: 1.5.1944.05

Category: 1.5.1944.06

Path Found: %NT AUTHORITY296

Alert Type: %NT AUTHORITY298

Process Name: C:\WINDOWS\system32\svchost.exe

Detection Type: 1.5.1944.02

Status: 1.5.1944.00

Event Record #/Type4717 / Warning
Event Submitted/Written: 04/10/2008 05:12:07 PM
Event ID/Source: 3004 / OneCareMP
Event Description:
%NT AUTHORITY29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %NT AUTHORITY29 can't undo changes that you allow.

For more information please see the following:
%NT AUTHORITY295

Scan ID: {F13E8ECF-15E5-4BC3-B7BF-A62B6DEF8AA6}

Agent: %NT AUTHORITY43

User: NT AUTHORITY\SYSTEM

Name: %NT AUTHORITY291

ID: %NT AUTHORITY292

Severity: 1.5.1944.05

Category: 1.5.1944.06

Path Found: %NT AUTHORITY296

Alert Type: %NT AUTHORITY298

Process Name: C:\WINDOWS\system32\svchost.exe

Detection Type: 1.5.1944.02

Status: 1.5.1944.00



-- End of Deckard's System Scanner: finished at 2008-04-10 20:48:27 ------------



Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:46 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live&
  • 0

#14
koko_crunch
Posted 11 April 2008 - 02:52 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Your post got cut off. Could you please post back with Superantispyware log.
Thanks. :)
  • 0

#15
walton74
Posted 11 April 2008 - 09:24 AM

walton74

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Oh yeah, and the Super Anti-Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/09/2008 at 06:28 AM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 01:07:13

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 5525
Registry threats detected : 0
File items scanned : 66868
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP