Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

wmsdkns, locked taskbar, awful stuff please help me! [RESOLVED]

Started by MoonBloo , Apr 07 2008 12:07 PM

This topic is locked

#1
MoonBloo

Posted 07 April 2008 - 12:07 PM

Member

Member
27 posts

wmsdkns, transponder variant, popups, hijacked wallpaper, locked taskbar, more! Please help!
I am yet another seeking help with a sudden massive infestation, complete with disabled taskbar, wallpaper hijacked to blue with big yellow and red letters going on about spyware, constant popups wanting me to click here or there, which of course I do not do, faux windows security center screens, and IE opening to livesecuritycenter.com, start page hijacked, all the same stuff as I see other poor souls have recently been suffering.

wmsdkns.exe, seekmo, 180 search assistant, 2020search are some of them, I have tried everything (including SDFix and ComboFix) for 24 hours without stopping, and have gotten rid of a few things, maybe, at first I think there was kazaa and 123 something, which actually might still be there, but the main ones, whose plagues are outlined above, remain when I scan with any of the major and popular spyware removal tools, from AVG to SpywareTerminator, you name it, if I didn't have it before yesterday, and I did have quite a bit, I have it today, but nothing seems to work.

I am desperate. I am beside myself. So without further moaning, I am posting logs from Deckard's System Scanner, hijack this, and Malwarebytes anti-malware in the hopes that someone can please tell me something I can do to get my computer back.

============================

Malwarebytes' Anti-Malware 1.10
Database version: 598

Scan type: Full Scan (C:\|)
Objects scanned: 108298
Time elapsed: 19 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 65

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\opcpsjkh\mforcbol.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP57\A0004440.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004508.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004568.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004631.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004638.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004639.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP60\A0004640.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP61\A0004671.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP75\A0005332.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\salm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\updatetc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIXU.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WER8274.DLL (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.

============================

Deckard's System Scanner v20071014.68
Run by Viewer on 2008-04-07 13:09:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
77: 2008-04-07 17:09:35 UTC - RP77 - Deckard's System Scanner Restore Point
76: 2008-04-07 12:51:49 UTC - RP76 - Spyware Terminator - restore point
75: 2008-04-07 07:48:10 UTC - RP75 - Installed SUPERAntiSpyware Free Edition
74: 2008-04-07 05:23:01 UTC - RP74 - Spyware Terminator - restore point
73: 2008-04-07 05:22:25 UTC - RP73 - Spyware Terminator - restore point

-- First Restore Point --
1: 2008-03-04 18:35:19 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Viewer.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:04 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\0407\dss.exe
C:\0407\Viewer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spybot-S&D Security Center launcher] C:\Program Files\Spybot - Search & Destroy\SDMain.exe
O4 - HKCU\..\Run: [Spyware Terminator Realtime Shield] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2DA5F47-F3FD-46FD-85B5-904C9B57A3A2}: NameServer = 205.152.37.23 205.152.144.23
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10716 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\Documents and Settings\All Users\Application Data\IconTweaker\Themes\Celestial II\Celestial II.icl,16
.ini - inifile - DefaultIcon - C:\Documents and Settings\Viewer\Local Settings\Application Data\Microangelo On Display\Installed System Icons\sysicon2.ico
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - C:\Documents and Settings\All Users\Application Data\IconTweaker\Themes\Celestial II\Celestial II.icl,17

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R1 VD_FileDisk - c:\windows\system32\drivers\vd_filedisk.sys <Not Verified; Flint Incorporation; VD_FileDisk>
R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\viewer\locals~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BOCore - c:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
R2 ftpqueue (Ipswitch WS_FTP Queue) - c:\program files\ws_ftp pro\ftpsched.exe <Not Verified; Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421; WS_FTP Queue>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 SRS Labs License Service - "c:\program files\common files\srs labs shared\service\srslabslicenseservice.exe" <Not Verified; SRS Labs; SRS Labs License Service>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 12:56:17 12800 --a------ C:\WINDOWS\swin32.dll
2008-04-07 12:56:17 25856 --a------ C:\WINDOWS\stcloader.exe
2008-04-07 12:56:17 19968 --a------ C:\WINDOWS\cdsm32.dll
2008-04-07 12:56:17 14848 --a------ C:\WINDOWS\bokja.exe
2008-04-07 12:56:17 0 d-------- C:\Program Files\stc
2008-04-07 12:56:16 20992 --a------ C:\WINDOWS\mspphe.dll
2008-04-07 12:56:16 23552 --a------ C:\WINDOWS\bjam.dll
2008-04-07 12:56:16 29696 --a------ C:\WINDOWS\2020search.dll
2008-04-07 12:56:16 0 d-------- C:\Program Files\seekmo
2008-04-07 12:56:15 31488 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-04-07 12:56:15 17152 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-04-07 12:56:15 0 d-------- C:\Program Files\zango
2008-04-07 12:56:15 0 d-------- C:\Program Files\180search assistant
2008-04-07 12:56:14 24832 --a------ C:\WINDOWS\updatetc.exe
2008-04-07 12:56:14 0 d-------- C:\WINDOWS\FLEOK
2008-04-07 12:56:14 18176 --a------ C:\WINDOWS\180ax.exe
2008-04-07 12:56:14 0 d-------- C:\Program Files\180solutions
2008-04-07 12:56:14 0 d-------- C:\Program Files\180searchassistant
2008-04-07 12:56:13 24576 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-07 12:56:13 18176 --a------ C:\WINDOWS\saiemod.dll
2008-04-07 12:56:13 9472 --a------ C:\WINDOWS\msapasrc.dll
2008-04-07 12:56:13 13568 --a------ C:\WINDOWS\msa64chk.dll
2008-04-07 12:56:12 28160 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-07 12:56:11 21248 --a------ C:\WINDOWS\winsb.dll
2008-04-07 12:56:11 21504 --a------ C:\WINDOWS\shdocpl.dll
2008-04-07 12:56:11 24320 --a------ C:\WINDOWS\shdocpe.dll
2008-04-07 12:56:11 31232 --a------ C:\WINDOWS\ntnut.exe
2008-04-07 12:56:11 26624 --a------ C:\WINDOWS\browserad.dll
2008-04-07 12:56:11 0 d-------- C:\Program Files\Sysmnt
2008-04-07 12:56:10 19200 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-07 12:56:10 15360 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-07 12:56:10 23296 --a------ C:\WINDOWS\avifile32.dll
2008-04-07 12:56:10 19712 --a------ C:\WINDOWS\autodisc32.dll
2008-04-07 12:56:10 25856 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-07 12:56:10 22784 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-07 12:56:10 14336 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-07 12:56:09 17152 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-07 12:56:09 16640 --a------ C:\WINDOWS\athprxy32.dll
2008-04-07 12:56:09 22272 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-07 12:56:09 23808 --a------ C:\WINDOWS\asferror32.dll
2008-04-07 12:56:09 10752 --a------ C:\WINDOWS\apphelp32.dll
2008-04-07 12:53:01 0 dr-h----- C:\Documents and Settings\Viewer\Recent
2008-04-07 12:28:36 0 d-------- C:\Documents and Settings\Viewer\Application Data\Malwarebytes
2008-04-07 12:28:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 12:28:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 11:50:30 0 d-------- C:\Program Files\SpywareBlaster
2008-04-07 11:42:03 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-04-07 11:42:02 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2008-04-07 11:41:56 0 d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-04-07 11:04:32 0 d-------- C:\Documents and Settings\Viewer\Application Data\Grisoft
2008-04-07 09:19:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-07 09:05:08 0 d-------- C:\smitfraudfix
2008-04-07 08:22:12 0 d-------- C:\smitrem
2008-04-07 07:36:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\JGsoft
2008-04-07 05:56:56 0 d-------- C:\0407
2008-04-07 05:04:34 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-07 04:37:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:48:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 03:48:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 03:48:11 0 d-------- C:\Documents and Settings\Viewer\Application Data\SUPERAntiSpyware.com
2008-04-07 03:46:54 64089 --a------ C:\rr-free-setup.exe <Not Verified; Malwarebytes; >
2008-04-07 00:39:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-04-06 19:10:56 0 d-------- C:\Program Files\Enigma Software Group
2008-04-06 17:54:15 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-06 17:45:09 68096 --a------ C:\WINDOWS\zip.exe
2008-04-06 17:45:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-06 17:45:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 17:45:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 17:45:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 17:45:09 98816 --a------ C:\WINDOWS\sed.exe
2008-04-06 17:45:09 80412 --a------ C:\WINDOWS\grep.exe
2008-04-06 17:45:09 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-06 17:19:21 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 17:06:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\VCOM
2008-04-06 16:08:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 14:42:01 0 d-------- C:\Documents and Settings\All Users\Application Data\opcpsjkh
2008-04-06 14:42:00 0 d-------- C:\WINDOWS\uprjiefj
2008-04-06 14:41:52 67584 --a------ C:\WINDOWS\pixwfcho.dll
2008-04-06 14:41:52 67584 --a------ C:\Documents and Settings\All Users\Application Data\zyzujypg.dll
2008-04-06 14:41:23 91561 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-06 14:41:13 6656 --a------ C:\WINDOWS\system32\s.dll
2008-04-04 07:47:26 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-04-04 07:47:26 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-04-04 07:47:26 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-04-04 07:47:26 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-04-04 07:47:25 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-03-31 14:54:23 0 d-------- C:\Documents and Settings\Viewer\Application Data\FileZilla
2008-03-31 14:53:59 0 d-------- C:\Program Files\FileZilla FTP Client
2008-03-31 14:09:02 0 d--h----- C:\WINDOWS\PIF
2008-03-30 19:22:18 0 d-------- C:\Documents and Settings\Viewer\Application Data\dvdcss
2008-03-30 19:06:16 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-25 22:30:24 0 d-------- C:\Program Files\MagicISO
2008-03-25 21:40:07 0 d-------- C:\Program Files\PowerISO
2008-03-24 18:46:57 0 d-------- C:\tunez
2008-03-24 11:21:19 0 d-------- C:\experimentingwithresources
2008-03-24 11:01:40 0 d-------- C:\Program Files\XN Resource Editor
2008-03-24 10:59:29 0 d-------- C:\Program Files\reshack
2008-03-24 07:55:01 0 d-------- C:\goingtothepictureshow
2008-03-21 13:11:33 0 d-------- C:\Program Files\VCOM
2008-03-21 13:11:26 0 d-------- C:\Documents and Settings\Viewer\Application Data\VCOM
2008-03-20 07:40:22 0 d-------- C:\Program Files\CursorXP
2008-03-18 17:00:40 0 d-------- C:\Documents and Settings\Viewer\.gimp-2.2
2008-03-18 17:00:08 0 d-------- C:\Program Files\GIMPshop
2008-03-18 16:22:20 0 d-------- C:\Documents and Settings\Viewer\Application Data\HEXelon
2008-03-18 16:21:57 0 d-------- C:\Program Files\TC UP
2008-03-18 15:55:46 0 d-------- C:\Program Files\VSO
2008-03-18 15:37:07 0 d-------- C:\Documents and Settings\Viewer\Application Data\Jasc
2008-03-18 14:05:26 0 d-------- C:\Program Files\MYIE
2008-03-12 23:37:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Microangelo On Display
2008-03-12 23:36:06 0 d-------- C:\Program Files\Microangelo On Display
2008-03-12 23:35:06 0 d-------- C:\Program Files\Microangelo Toolset 6
2008-03-11 02:14:04 0 d-------- C:\Neroblocker
2008-03-11 02:13:10 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-11 01:31:49 0 d-------- C:\Documents and Settings\Viewer\Application Data\Nero
2008-03-11 01:30:12 0 d-------- C:\Program Files\Nero
2008-03-11 01:30:12 0 d-------- C:\Program Files\Common Files\Nero
2008-03-11 01:30:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-10 11:26:40 0 d-------- C:\Documents and Settings\Viewer\Application Data\AdobeUM
2008-03-09 17:27:32 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-09 17:26:54 0 d-------- C:\Documents and Settings\Viewer\Application Data\GRETECH
2008-03-09 17:26:44 0 d-------- C:\Program Files\GRETECH
2008-03-09 17:09:43 348160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2008-03-09 17:09:43 479232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioVisualization2 ActiveX DLL>
2008-03-09 17:09:43 602112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioTransform2 ActiveX DLL>
2008-03-09 17:09:43 458752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-03-09 17:09:43 458752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-03-09 17:09:42 1212416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-03-09 17:09:42 1986560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-03-09 17:09:42 880640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioEditor2 ActiveX DLL>
2008-03-09 17:09:42 417792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioDisplay2 ActiveX DLL>
2008-03-09 17:09:42 2084864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioDesign2 ActiveX DLL>
2008-03-09 17:09:42 835584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll <Not Verified; NCT; NCTAudioCDGrabber2 ActiveX DLL>
2008-03-09 17:09:41 0 d-------- C:\Program Files\Magic Music Editor
2008-03-09 17:09:18 0 d-------- C:\Program Files\Magic Video Converter
2008-03-09 17:08:57 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-09 17:08:57 47360 --a------ C:\Documents and Settings\Viewer\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-09 17:08:57 81920 --a------ C:\Documents and Settings\Viewer\Application Data\ezpinst.exe
2008-03-09 17:08:56 0 d-------- C:\Documents and Settings\Viewer\Application Data\Vso
2008-03-09 17:08:53 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-03-09 17:08:53 314368 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-03-09 17:08:52 0 d-------- C:\Program Files\Magic Video Studio
2008-03-09 17:03:32 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-03-09 17:03:32 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-03-09 17:03:31 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-03-09 17:03:31 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-09 17:03:31 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-03-09 17:03:31 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-03-09 17:03:31 0 d-------- C:\Program Files\AVSMedia
2008-03-07 18:06:55 0 d-------- C:\Program Files\uTorrent
2008-03-07 18:06:25 0 d-------- C:\Documents and Settings\Viewer\Application Data\uTorrent
2008-03-07 14:39:22 0 d-------- C:\Program Files\Jasc Software Inc
2008-03-07 14:38:32 0 d-------- C:\Program Files\PaintShopPro7
2008-03-07 05:06:46 53248 --a------ C:\WINDOWS\system32\fwsvpn.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-07 13:10:24 29184 --a------ C:\WINDOWS\voiceip.dll
2008-04-07 13:10:24 17152 --a------ C:\WINDOWS\mssvr.exe
2008-04-07 13:10:24 17664 --a------ C:\WINDOWS\2020search2.dll
2008-04-07 13:10:23 19968 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-07 13:10:23 10752 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-07 13:10:23 20992 --a------ C:\WINDOWS\salm.exe
2008-04-07 11:41:49 0 d-------- C:\Program Files\COMODO
2008-04-07 08:51:45 0 d-------- C:\Program Files\Spyware Terminator
2008-04-07 08:32:28 0 d-------- C:\Documents and Settings\Viewer\Application Data\Spyware Terminator
2008-04-07 03:47:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 18:22:23 0 d-------- C:\Program Files\Trellian
2008-04-06 16:11:39 0 d-------- C:\Documents and Settings\Viewer\Application Data\AVG7
2008-04-06 14:40:15 1346420 --a------ C:\Documents and Settings\Viewer\Application Data\vso_ts_preview.xml
2008-04-04 07:47:34 34 --a------ C:\Documents and Settings\Viewer\Application Data\pcouffin.log
2008-04-04 07:47:30 1144 --a------ C:\Documents and Settings\Viewer\Application Data\pcouffin.inf
2008-04-04 07:47:30 7887 --a------ C:\Documents and Settings\Viewer\Application Data\pcouffin.cat
2008-03-24 08:48:15 0 d-------- C:\Documents and Settings\Viewer\Application Data\ColorCop
2008-03-21 13:11:34 0 d-------- C:\Program Files\Ontrack
2008-03-19 13:45:49 0 d-------- C:\Program Files\Java
2008-03-11 01:30:12 0 d-------- C:\Program Files\Common Files
2008-03-10 09:09:06 0 d-------- C:\Documents and Settings\Viewer\Application Data\EditPlus 2
2008-03-09 17:00:34 0 d-------- C:\Documents and Settings\Viewer\Application Data\gtk-2.0
2008-03-09 17:00:26 0 d-------- C:\Program Files\Avidemux 2.4
2008-03-09 09:09:43 0 d-------- C:\Documents and Settings\Viewer\Application Data\BitTyrant
2008-03-09 05:05:52 0 d-------- C:\Documents and Settings\Viewer\Application Data\Comodo
2008-03-07 16:10:30 0 d-------- C:\Program Files\PeerGuardian2
2008-03-07 05:06:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-07 02:48:56 0 d-------- C:\Program Files\BitTyrant
2008-03-06 18:28:13 0 d-------- C:\Program Files\TopStyle3
2008-03-06 18:25:51 0 d-------- C:\Program Files\Allaire
2008-03-06 18:11:20 0 d-------- C:\Documents and Settings\Viewer\Application Data\JGsoft
2008-03-06 18:09:53 0 d-------- C:\Program Files\JGsoft
2008-03-06 12:36:12 0 d-------- C:\Program Files\Macromedia
2008-03-06 12:36:12 0 d-------- C:\Program Files\Common Files\Macromedia
2008-03-05 23:50:33 0 d-------- C:\Program Files\dBpowerAMP
2008-03-05 23:49:16 57050 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP.dat
2008-03-05 23:49:16 167424 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-05 23:22:24 0 d-------- C:\Program Files\Common Files\SRS Labs Shared
2008-03-05 23:22:11 0 d-------- C:\Program Files\SRS Labs
2008-03-05 23:13:12 0 d-------- C:\Documents and Settings\Viewer\Application Data\Blumentals
2008-03-05 23:11:10 0 d-------- C:\Program Files\Virtual Mechanics
2008-03-05 22:06:53 0 d-------- C:\Program Files\Arachnophilia
2008-03-05 07:05:10 0 d-------- C:\Program Files\MediaCoder
2008-03-05 07:00:31 0 d-------- C:\Program Files\zweistein
2008-03-05 06:32:00 0 d-------- C:\Program Files\Thugs at Bay
2008-03-05 06:24:06 0 d-------- C:\Program Files\AVIedit
2008-03-05 01:07:03 0 d-------- C:\Program Files\URUSoft
2008-03-04 22:51:58 0 d-------- C:\Program Files\Revo Uninstaller
2008-03-04 11:22:15 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-03-04 11:21:41 0 d-------- C:\Documents and Settings\Viewer\Application Data\TuneUp Software
2008-03-04 00:28:18 0 d-------- C:\Program Files\EditPlus 2
2008-03-03 12:42:17 0 d-------- C:\Program Files\EmEditor
2008-03-03 11:20:35 0 d-------- C:\Program Files\metapad
2008-03-03 09:08:47 0 d-------- C:\Documents and Settings\Viewer\Application Data\Help
2008-03-03 02:42:45 0 d-------- C:\Program Files\Lavasoft
2008-03-03 00:19:18 0 d-------- C:\Program Files\TextPad 5
2008-03-03 00:13:10 0 d-------- C:\Documents and Settings\Viewer\Application Data\Helios
2008-02-29 21:34:41 0 d-------- C:\Program Files\UltraEdit
2008-02-29 13:36:19 0 d-------- C:\Program Files\CCleaner
2008-02-29 10:21:33 0 d-------- C:\Program Files\WinHTTrack
2008-02-29 02:34:56 0 d-------- C:\Program Files\zabkat
2008-02-28 08:47:06 0 d-------- C:\Program Files\Ulead SmartSaver Pro 2.0
2008-02-28 08:05:57 0 d-------- C:\Program Files\Foxit Software
2008-02-27 06:41:26 0 d-------- C:\Documents and Settings\Viewer\Application Data\vlc
2008-02-27 00:42:18 0 d-------- C:\Program Files\VLC
2008-02-26 15:17:32 0 d-------- C:\Program Files\Crimson Editor
2008-02-24 18:12:51 0 d-------- C:\Program Files\MaxMem
2008-02-24 16:52:21 0 d-------- C:\Program Files\SpyBlocker Software
2008-02-23 15:00:09 0 d-------- C:\Documents and Settings\Viewer\Application Data\Sun
2008-02-23 13:22:19 0 d-------- C:\Program Files\Azureus
2008-02-23 12:27:27 0 d-------- C:\Documents and Settings\Viewer\Application Data\LimeWire
2008-02-22 23:48:31 0 d-------- C:\Documents and Settings\Viewer\Application Data\Winamp
2008-02-22 22:54:53 0 d-------- C:\Program Files\Winamp
2008-02-22 21:47:26 0 d-------- C:\Program Files\LimeWire
2008-02-22 21:02:45 0 d-------- C:\Documents and Settings\Viewer\Application Data\NoteTab Pro
2008-02-22 20:07:09 0 d-------- C:\Program Files\NoteTab Pro Trial
2008-02-22 10:20:05 0 d-------- C:\Program Files\KompoZer
2008-02-22 10:14:13 0 d-------- C:\Program Files\Star Downloader
2008-02-22 09:42:37 0 d-------- C:\Documents and Settings\Viewer\Application Data\Adobe
2008-02-22 08:17:40 0 d-------- C:\Program Files\Mmm
2008-02-22 08:16:21 0 d-------- C:\Program Files\Index.dat Suite
2008-02-22 08:11:39 0 d-------- C:\Program Files\a-squared Free
2008-02-22 06:59:01 0 d-------- C:\Program Files\ScrubXP
2008-02-22 06:57:14 0 d-------- C:\Program Files\ContextMenuEditor
2008-02-22 05:32:32 0 d-------- C:\Program Files\ShellExView
2008-02-21 23:57:44 0 d-------- C:\Program Files\Xenu
2008-02-21 23:33:25 0 d-------- C:\Documents and Settings\Viewer\Application Data\VSRevoGroup
2008-02-21 22:57:52 0 d-------- C:\Documents and Settings\Viewer\Application Data\PSpad
2008-02-21 22:57:45 0 d-------- C:\Program Files\PSPad editor
2008-02-21 22:55:18 0 d-------- C:\Documents and Settings\Viewer\Application Data\Artweaver
2008-02-21 22:55:17 0 d-------- C:\Program Files\Artweaver 0.4
2008-02-21 22:39:25 0 d-------- C:\Program Files\Serif
2008-02-21 04:20:34 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-02-21 04:18:17 0 d-------- C:\Documents and Settings\Viewer\Application Data\IcoFX
2008-02-21 04:18:16 0 d-------- C:\Program Files\IcoFX 1.5
2008-02-21 04:17:28 0 d-------- C:\Program Files\UltraExplorer
2008-02-21 04:16:47 0 d-------- C:\Program Files\ExplorerXP
2008-02-21 04:10:48 0 d-------- C:\Program Files\IconTweaker
2008-02-21 04:10:48 0 d-------- C:\Documents and Settings\Viewer\Application Data\IconTweaker
2008-02-21 04:09:07 0 d-------- C:\Documents and Settings\Viewer\Application Data\Trellian
2008-02-21 04:06:32 0 d-------- C:\Documents and Settings\Viewer\Application Data\Nvu
2008-02-21 04:06:30 0 d-------- C:\Program Files\Nvu
2008-02-21 04:04:03 0 d-------- C:\Documents and Settings\Viewer\Application Data\KompoZer
2008-02-21 04:00:42 0 d-------- C:\Program Files\GIMP-2.0
2008-02-20 23:55:32 0 d-------- C:\Program Files\IrfanView
2008-02-20 23:44:18 0 d-------- C:\Program Files\FileBX
2008-02-20 08:57:15 0 d-------- C:\Documents and Settings\Viewer\Application Data\Mozilla
2008-02-20 07:29:25 0 d-------- C:\Documents and Settings\Viewer\Application Data\Hyperionics
2008-02-19 22:12:36 0 d-------- C:\Program Files\Teleport Pro
2008-02-18 07:08:12 0 d-------- C:\Program Files\Maxthon
2008-02-18 06:07:52 0 d-------- C:\Program Files\IE Booster
2008-02-18 05:26:00 796672 --a------ C:\WINDOWS\GPInstall.exe <Not Verified; Qsc; GP-Install>
2008-02-18 04:54:29 0 d-------- C:\Program Files\Crawler
2008-02-17 22:39:40 0 d-------- C:\Program Files\WS_FTP Pro
2008-02-17 22:26:58 0 d-------- C:\Program Files\Google
2008-02-17 19:38:31 0 d-------- C:\Documents and Settings\Viewer\Application Data\Macromedia
2008-02-17 19:14:00 0 d-------- C:\Documents and Settings\Viewer\Application Data\Google
2008-02-13 15:32:24 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-13 15:30:08 0 d-------- C:\Program Files\Dell
2008-02-13 15:29:46 0 d-------- C:\Program Files\Microsoft Works
2008-02-13 15:29:29 0 d-------- C:\Program Files\Microsoft.NET
2008-02-13 15:27:08 0 d-------- C:\Program Files\CyberLink
2008-02-13 15:26:59 0 d-------- C:\Program Files\Roxio
2008-02-13 15:26:54 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-13 15:26:51 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-13 15:26:43 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-13 15:26:42 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-13 15:23:59 0 d-------- C:\Program Files\Intel
2008-02-13 15:23:31 0 d-------- C:\Program Files\Digital Line Detect
2008-02-13 15:23:28 0 d-------- C:\Program Files\NetWaiting
2008-02-13 15:23:27 0 d-------- C:\Program Files\Modem Diagnostic Tool
2008-02-13 15:23:27 0 d-------- C:\Documents and Settings\Viewer\Application Data\InstallShield
2008-02-13 15:22:24 0 d-------- C:\Program Files\Messenger
2008-02-13 15:21:39 0 d-------- C:\Program Files\Common Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]
&

Edited by MoonBloo, 07 April 2008 - 12:12 PM.

#2
Essexboy

Posted 07 April 2008 - 01:06 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there and the current question is ..who has more files on your computer MS or the Trojans

Lets start straight away

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\wmsdkns.exe
C:\0407\Viewer.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bokja.exe
C:\Program Files\stc
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\2020search.dll
C:\Program Files\seekmo
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\MSIXU.DLL
C:\Program Files\zango
C:\Program Files\180search assistant
C:\WINDOWS\updatetc.exe
C:\WINDOWS\FLEOK
C:\WINDOWS\180ax.exe
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\browserad.dll
C:\Program Files\Sysmnt
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\apphelp32.dll
C:\Documents and Settings\All Users\Application Data\opcpsjkh
C:\WINDOWS\uprjiefj
C:\WINDOWS\pixwfcho.dll
C:\Documents and Settings\All Users\Application Data\zyzujypg.dll
C:\WINDOWS\system32\s.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\voiceip.dll
Purity

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - BotCheck
- Reg - Disabled MS Config Items
- Reg - File Associations
- Reg - Uninstall List
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
MoonBloo

Posted 07 April 2008 - 09:34 PM

Member

Topic Starter
Member
27 posts

Thank you so much for answering! I found you upon googling that awful wmsdkns and after peeking in at a couple of other places where people were being advised to reformat their hard drives and smash their computers with hammers, you can imagine how my heart leapt when I saw that here others were being helped by good people who seem not only kind but unflappable and as a special bonus, knowledgeable.

Micorosft is definitely losing right now, but I am confident that they will waste no time in releasing some additional bloatage which will have no effect on the various nasties, but will at least put them ahead in the race for the prestigious sheer number of files championship.

I have noticed today you have even more posts from people with this revolting little bolus of crap, so maybe some philanthropist will make a little program with cute cartoon helpmice and you will not have to instruct, nor we the clueless attempt to follow, such a welter of operations.

Moveit, even after repeated attempts, consistently ceased responding while moving pixwfcho.dll, so I am unable to paste the results window in its entirety, and am offering instead a screencap that has at least the bulk of it.

And I am also attaching the log from OTScanit. (On edit - I checked 90 days as you said, but the computer is only a month or so old so that is why there are no entries that go back that far. All of the bad stuff is from about 2:40PM on April 6. Apparently some popunder or something got me)

Thank you again for helping me, I anxiously await my next task, and hope it will not involve recommendations of particularly finely crafted hammers.

Posted Image

Attached Files

OTScanIt.Txt 365.71KB 105 downloads

Edited by MoonBloo, 08 April 2008 - 04:18 AM.

#4
Essexboy

Posted 08 April 2008 - 11:35 AM

GeekU Moderator

Retired Staff
69,964 posts

Here we only use hammers as a last resort

OTMoveit moved some but not all

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\wmsdkns.exe -> %SystemRoot%\system32\wmsdkns.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {00000250-0320-4dd4-be4f-7566d2314352} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {13197ace-6851-45c3-a7ff-c281324d5489} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {15651c7c-e812-44a2-a9ac-b467a2233e7d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4e1075f4-eec4-4a86-add7-cd5f52858c31} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5dafd089-24b1-4c5e-bd42-8ca72550717b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {5fa6752a-c4a0-4222-88c2-928ae5ab4966} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {622cc208-b014-4fe0-801b-874a5e5e403a} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {8674aea0-9d3d-11d9-99dc-00600f9a01f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {965a592f-8efa-4250-8630-7960230792f1} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {9c5b2f29-1f46-4639-a6b4-828942301d3e} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {cf021f40-3e14-23a5-cba2-717765728274} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {fc3a74e5-f281-4f10-ae1e-733078684f3c} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {ffff0001-0002-101a-a3c9-08002b2f49fb} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {1212BCB8-67DD-475e-8025-9D2198FB8F61} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\QdrDrive\QdrDrive15.dll [Internet Speed Monitor]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YY -> {36ECAF82-3300-8F84-092E-AFF36D6C7040}:{86529161-034E-4F8A-88D2-3C625E612E04} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\WinHTTrack\WinHTTrackIEBar.dll [Run WinHTTrack]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YY -> CmdMapping\\{36ECAF82-3300-8F84-092E-AFF36D6C7040} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\WinHTTrack\WinHTTrackIEBar.dll [Run WinHTTrack]
[Registry - Additional Scans - Non-Microsoft Only]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .bat [@ = batfile] -> 
YN -> .cmd [@ = cmdfile] -> 
YN -> .com [@ = comfile] -> 
YN -> .exe [@ = exefile] -> 
YN -> .pif [@ = piffile] -> 
YN -> .scr [@ = scrfile] -> 
[Files/Folders - Created Within 90 days]
NY -> s.dll -> %SystemRoot%\System32\s.dll
NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
NY -> wmsdkns.exe -> %SystemRoot%\System32\wmsdkns.exe
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> 180ax.exe -> %SystemRoot%\180ax.exe
NY -> 2020search.dll -> %SystemRoot%\2020search.dll
NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> bjam.dll -> %SystemRoot%\bjam.dll
NY -> BOC425.INI -> %SystemRoot%\BOC425.INI
NY -> bokja.exe -> %SystemRoot%\bokja.exe
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> FLEOK -> %SystemRoot%\FLEOK
NY -> HomeSite.ini -> %SystemRoot%\HomeSite.ini
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> msapasrc.dll -> %SystemRoot%\msapasrc.dll
NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> osacwtch.exe -> %SystemRoot%\osacwtch.exe
NY -> PIF -> %SystemRoot%\PIF
NY -> pixwfcho.dll -> %SystemRoot%\pixwfcho.dll
NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
NY -> salm.exe -> %SystemRoot%\salm.exe
NY -> setpwr32.exe -> %SystemRoot%\setpwr32.exe
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
NY -> swin32.dll -> %SystemRoot%\swin32.dll
NY -> trfntw32.cfg -> %SystemRoot%\trfntw32.cfg
NY -> updatetc.exe -> %SystemRoot%\updatetc.exe
NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
NY -> winsb.dll -> %SystemRoot%\winsb.dll
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\Application Data\TEMP:62E2D794
NY -> zyzujypg.dll -> %AllUsersProfile%\Application Data\zyzujypg.dll
NY -> {527EE0A6-618B-4814-8449-DB8C2DBEE577} -> %AllUsersProfile%\Application Data\{527EE0A6-618B-4814-8449-DB8C2DBEE577}
NY -> ezpinst.exe -> %AppData%\ezpinst.exe
NY -> {3248F0A6-6813-11D6-A77B-00B0D0150060} -> %UserProfile%\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
NY -> .zs4 -> %UserProfile%\My Documents\.zs4
[Files/Folders - Modified Within 90 days]
NY -> MSIXU.DLL -> %SystemRoot%\System32\MSIXU.DLL
NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
NY -> s.dll -> %SystemRoot%\System32\s.dll
NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
NY -> SoftwareDistribution -> %SystemRoot%\System32\SoftwareDistribution
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> 180ax.exe -> %SystemRoot%\180ax.exe
NY -> 2020search.dll -> %SystemRoot%\2020search.dll
NY -> 2020search2.dll -> %SystemRoot%\2020search2.dll
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> bjam.dll -> %SystemRoot%\bjam.dll
NY -> BOC425.INI -> %SystemRoot%\BOC425.INI
NY -> bokja.exe -> %SystemRoot%\bokja.exe
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> cdsm32.dll -> %SystemRoot%\cdsm32.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> FLEOK -> %SystemRoot%\FLEOK
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> mspphe.dll -> %SystemRoot%\mspphe.dll
NY -> mssvr.exe -> %SystemRoot%\mssvr.exe
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> pixwfcho.dll -> %SystemRoot%\pixwfcho.dll
NY -> saiemod.dll -> %SystemRoot%\saiemod.dll
NY -> salm.exe -> %SystemRoot%\salm.exe
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
NY -> smscfg.ini -> %SystemRoot%\smscfg.ini
NY -> stcloader.exe -> %SystemRoot%\stcloader.exe
NY -> swin32.dll -> %SystemRoot%\swin32.dll
NY -> voiceip.dll -> %SystemRoot%\voiceip.dll
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersProfile%\Application Data\TEMP:62E2D794
NY -> zyzujypg.dll -> %AllUsersProfile%\Application Data\zyzujypg.dll
NY -> {527EE0A6-618B-4814-8449-DB8C2DBEE577} -> %AllUsersProfile%\Application Data\{527EE0A6-618B-4814-8449-DB8C2DBEE577}
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> {3248F0A6-6813-11D6-A77B-00B0D0150060} -> %UserProfile%\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
NY -> .zs4 -> %UserProfile%\My Documents\.zs4
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanit log. (in case I missed one)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#5
MoonBloo

Posted 08 April 2008 - 02:29 PM

Member

Topic Starter
Member
27 posts

I closed everything and copied the fix text into the OTScanit window, clicked "Run Fix," and it said it was doing that, but it continued to say so, and did not pop up a notepad or do anything else.

After 20 minutes, I decided to try closing it, and it wasn't responding, and it had not generated a text file, though it had created subdirectories duplicating the structure of windows, and one og program files in the OTScanit directory, moved wmsdkns.exe into windows\system32

It also moved a dll used by HTTPTrack into the Program Files subdirectory it had made, a website slurper that is a real program, as far as I know, but I have just used it a couple of times when teleport pro didn't do the job right, so if I must sacrifice HTTPTRack that is no big deal.

Do you think it would be possible to divide the fix into parts? to try to see what is making it hang up.

I am thinking of when I ran Moveit and it hung up on pixwfcho.dll...

I think progress is being made! I am no longer getting the constant popups and spontaneous openings of IE, either to that despicable livesecuritycenter.com or about security, but my taskbar is still disabled, and I still have the blue wallpaper with all the warnings about spyware and click here.

Anyway, I ran OTScanit, with all the same things checked as before, and have attached the text file.

When I rebooted, spybot search and destroy asked if I wanted to change userinit to just plain userinit instead of userinit/wmsdkns. Being only too pleased to see anything that looks like wmsdkns diminishing its role, I said yes.

Thank you so much for your patience. You are setting a very good example for me. I am trying to remain calm.

The computer is so new, we were still getting to know each other...

Attached Files

0408OTScanIt.Txt 266.8KB 142 downloads

#6
Essexboy

Posted 08 April 2008 - 02:43 PM

GeekU Moderator

Retired Staff
69,964 posts

When I rebooted, spybot search and destroy asked if I wanted to change userinit to just plain userinit instead of userinit/wmsdkns. Being only too pleased to see anything that looks like wmsdkns diminishing its role, I said yes.

That can be a pain to kill

OK lets try FixIEdef first and then run from there. This is a more specialised tool and will take out one part of the infection

- NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.
Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note: FixIEDef now supports Non-English Language Systems
Double-click FixIEDef.exe:
That will open the About FixIEDef screen. Click OK to continue:
Next, press the Scan! button:
FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
Wait for the scan to finish. It shouldn't take very long:
- WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
After the !!! All Finished !!! message is displayed, click Exit:
Post the FixIEDef log file, located on the Desktop.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlog...processutil.htm

Mirrors: Alternate official download locations for FixIEDef.exe

http://it-mate.co.uk...ef/fixiedef.exe
http://hosts-file.ne...ef/fixiedef.exe
http://avant.it-mate...=Tools/FixIEDef
http://archives.myst...pyware/FixIEDef

#7
MoonBloo

Posted 08 April 2008 - 03:17 PM

Member

Topic Starter
Member
27 posts

Oh joy! More progress! Blue wallpaper is gone, and in its place is the solid pale pink I had before I found the wallpaper that I was using When It Happened.

Taskbar is still locked, my start page is still some msn thing, instead of google, which is what I always had, and I still have those 180searchassistant and zango things, that I have learned that I can delete, but they will only return at the next boot, sometimes they do not even wait for that, but miraculously regenerate themselves, like the tail of an injured iguana.

But progress is progress, and so without further ado, I present my FixIEDef.log, for your perusal and delectation...

=================
********************************************************************************
* *
* FixIEDef Log *
* Version 1.3.10.3351 *
* *
********************************************************************************

Created at 17:03:46 on Tuesday, April 08, 2008

Time Zone : (GMT-05:00) Eastern Time (US & Canada)

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\default.htm
C:\WINDOWS\TEMP\SALM.EXE

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

=================

#8
Essexboy

Posted 08 April 2008 - 03:51 PM

GeekU Moderator

Retired Staff
69,964 posts

Obviously we are going to have to winkle this out bit by bit

OK next stage can you delete your current combofix and download a new version - it should now work

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#9
MoonBloo

Posted 08 April 2008 - 04:47 PM

Member

Topic Starter
Member
27 posts

Yes, I guess when one becomes infected with bundled computer maladies, that one little click here to fix it all button located on the round tummy of a cute cartoon helpmouse is just not going to happen. At least not this week.

So, I kicked my old yesterCombofix to the curb, and got the shiny new one, and dutifully and methodically closed every one of the 9 squillion anti-something-or-others with which my machine is now festooned, and then ran ComboFix, which ran through all its now 40-odd tricks, and then it was as if there had been a reboot, or something, because a couple of the anti-thisandthats started popping up squealing about something being changed, and of course it was always stuff that was obviously of great importance, but I have no idea what it is, and so I said no, or maybe yes, to the first one, because by now I also have no idea when it is something good that wishes to make these changes to regedit or whatever, or something bad.

Then it occurred to me to look in the files, and lo and behold! The 180searchgarbage and the dreaded zango directories were gone! And so was that wmsdkny or whatever it was, in the windows system32 dir.

So maybe these were changes I should say yes to?

But deciding proved too much agony, and so I fell back on the old adage, when in doubt, reboot, which I did, and this time the anti-whatevers did not squeal, and oh! what do you think? Task manager is back!

So thanks to your diligence and expertise, my new computer is slowly being returned to me, so that I can screw it up the old-fashioned way, with household dust and tobacco smoke.

There are still some issues, but here are the logs from ComboFix and the hijack this (attached) done 2 reboots post-ComboFix, and I think we cannot be very far away!

I am beginning to see what I think may be a light at the end of this tunnel!

===================================

ComboFix 08-04-08.5 - Viewer 2008-04-08 18:05:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -4:00]
Running from: C:\Documents and Settings\Viewer\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 16:02 . 2008-04-08 16:02 369,152 --a------ C:\WINDOWS\system32\rictions.dll
2008-04-08 15:39 . 2008-04-08 15:39 369,152 --a------ C:\WINDOWS\system32\ions.dll
2008-04-07 23:03 . 2008-04-07 23:03 <DIR> d-------- C:\OTScanit
2008-04-07 22:52 . 2008-04-07 22:52 <DIR> d-------- C:\_OTMoveIt
2008-04-07 22:37 . 2008-04-08 18:00 <DIR> d-------- C:\408
2008-04-07 13:10 . 2008-04-07 13:10 19,968 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-07 13:10 . 2008-04-07 13:10 10,752 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-07 13:08 . 2008-04-07 13:08 <DIR> d-------- C:\Deckard
2008-04-07 12:56 . 2008-04-07 12:56 24,320 --a------ C:\WINDOWS\123messenger.per
2008-04-07 12:56 . 2008-04-07 12:56 16,640 --a------ C:\WINDOWS\didduid.ini
2008-04-07 12:28 . 2008-04-07 12:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 12:28 . 2008-04-07 12:28 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\Malwarebytes
2008-04-07 12:28 . 2008-04-07 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 11:50 . 2008-04-07 11:52 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-07 11:42 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2008-04-07 11:42 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-04-07 11:42 . 2004-08-04 06:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-04-07 11:41 . 2008-04-07 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-04-07 11:41 . 2008-04-08 18:03 11,174 --a------ C:\WINDOWS\BOC425.INI
2008-04-07 11:04 . 2008-04-07 11:04 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\Grisoft
2008-04-07 11:03 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-07 09:19 . 2008-04-07 09:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-07 09:05 . 2008-04-07 09:05 <DIR> d-------- C:\smitfraudfix
2008-04-07 08:22 . 2008-04-07 09:06 <DIR> d-------- C:\smitrem
2008-04-07 07:36 . 2008-04-07 07:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\JGsoft
2008-04-07 05:04 . 2008-04-07 05:09 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-07 04:37 . 2008-04-07 04:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 04:37 . 2008-04-07 04:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:48 . 2008-04-07 03:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 03:48 . 2008-04-07 03:48 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\SUPERAntiSpyware.com
2008-04-07 03:48 . 2008-04-07 03:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 03:46 . 2008-04-07 02:59 9,722,720 --a------ C:\spybotsd152.exe
2008-04-07 03:46 . 2008-04-07 02:25 6,342,680 --a------ C:\SUPERAntiSpyware.exe
2008-04-07 03:46 . 2008-04-07 03:06 64,089 --a------ C:\rr-free-setup.exe
2008-04-07 00:39 . 2008-04-07 00:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-04-06 19:10 . 2008-04-06 19:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-06 19:06 . 2008-04-06 18:34 7,525,464 --a------ C:\Free-SpyHunter-Scanner-Install.exe
2008-04-06 19:06 . 2008-04-06 18:59 167,080 --a------ C:\Fix180Sh.exe
2008-04-06 17:19 . 2008-04-06 17:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 17:15 . 2008-04-07 06:48 <DIR> d-------- C:\SDFix
2008-04-06 17:06 . 2008-04-06 17:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VCOM
2008-04-06 16:08 . 2008-04-08 17:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 14:41 . 2008-04-06 14:41 67,584 --a------ C:\WINDOWS\pixwfcho.dll
2008-04-06 14:41 . 2008-04-06 14:41 67,584 --a------ C:\Documents and Settings\All Users\Application Data\zyzujypg.dll
2008-04-06 14:41 . 2008-04-06 14:41 6,656 --a------ C:\WINDOWS\system32\s.dll
2008-04-04 07:47 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-04-04 07:47 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-04-04 07:47 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-04-04 07:47 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-04-04 07:47 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-04-04 07:47 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-04-04 07:47 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-03-31 14:54 . 2008-03-31 15:59 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\FileZilla
2008-03-31 14:53 . 2008-03-31 14:54 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-31 14:09 . 2008-03-31 14:09 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-30 19:22 . 2008-03-30 19:22 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\dvdcss
2008-03-30 19:06 . 2008-03-30 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-26 17:06 . 2008-04-01 23:56 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-25 22:30 . 2008-03-25 22:30 <DIR> d-------- C:\Program Files\MagicISO
2008-03-25 21:40 . 2008-03-25 21:43 <DIR> d-------- C:\Program Files\PowerISO
2008-03-24 18:46 . 2008-03-24 18:47 <DIR> d-------- C:\tunez
2008-03-24 11:21 . 2008-03-24 11:21 <DIR> d-------- C:\experimentingwithresources
2008-03-24 11:01 . 2008-03-24 11:01 <DIR> d-------- C:\Program Files\XN Resource Editor
2008-03-24 10:59 . 2008-03-24 11:13 <DIR> d-------- C:\Program Files\reshack
2008-03-24 07:55 . 2008-04-02 20:46 <DIR> d-------- C:\goingtothepictureshow
2008-03-21 13:11 . 2008-03-21 13:11 <DIR> d-------- C:\Program Files\VCOM
2008-03-21 13:11 . 2008-03-21 13:11 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\VCOM
2008-03-20 07:40 . 2008-03-20 07:40 <DIR> d-------- C:\Program Files\CursorXP
2008-03-19 13:45 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 17:00 . 2008-03-18 17:00 <DIR> d-------- C:\Program Files\GIMPshop
2008-03-18 17:00 . 2008-03-18 17:20 <DIR> d-------- C:\Documents and Settings\Viewer\.gimp-2.2
2008-03-18 16:22 . 2008-03-18 16:22 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\HEXelon
2008-03-18 16:21 . 2008-03-18 16:34 <DIR> d-------- C:\Program Files\TC UP
2008-03-18 15:55 . 2008-04-04 07:47 <DIR> d-------- C:\Program Files\VSO
2008-03-18 15:37 . 2008-03-18 15:37 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\Jasc
2008-03-18 14:05 . 2008-03-21 11:26 <DIR> d-------- C:\Program Files\MYIE
2008-03-12 23:37 . 2008-03-12 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microangelo On Display
2008-03-12 23:36 . 2008-03-12 23:36 <DIR> d-------- C:\Program Files\Microangelo On Display
2008-03-12 23:35 . 2008-03-12 23:35 <DIR> d-------- C:\Program Files\Microangelo Toolset 6
2008-03-11 02:14 . 2008-03-11 02:14 <DIR> d-------- C:\Neroblocker
2008-03-11 02:13 . 2008-03-11 02:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-11 01:31 . 2008-03-11 01:31 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\Nero
2008-03-11 01:30 . 2008-03-11 01:30 <DIR> d-------- C:\Program Files\Nero
2008-03-11 01:30 . 2008-03-11 01:31 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-11 01:30 . 2008-03-11 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-10 11:26 . 2008-03-10 11:26 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\AdobeUM
2008-03-09 17:27 . 2008-03-09 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-09 17:26 . 2008-03-09 17:26 <DIR> d-------- C:\Program Files\GRETECH
2008-03-09 17:26 . 2008-03-09 17:26 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\GRETECH
2008-03-09 17:09 . 2008-03-09 17:09 <DIR> d-------- C:\Program Files\Magic Video Converter
2008-03-09 17:09 . 2008-03-09 17:09 <DIR> d-------- C:\Program Files\Magic Music Editor
2008-03-09 17:08 . 2008-03-09 17:10 <DIR> d-------- C:\Program Files\Magic Video Studio
2008-03-09 17:08 . 2008-04-06 14:40 <DIR> d-------- C:\Documents and Settings\Viewer\Application Data\Vso
2008-03-09 17:08 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-09 17:08 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-09 17:08 . 2008-03-09 17:09 81,920 --a------ C:\Documents and Settings\Viewer\Application Data\ezpinst.exe
2008-03-09 17:08 . 2008-04-04 07:47 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-09 17:08 . 2008-04-04 07:47 47,360 --a------ C:\Documents and Settings\Viewer\Application Data\pcouffin.sys
2008-03-09 17:03 . 2008-03-09 17:03 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-09 17:03 . 2008-03-09 17:06 <DIR> d-------- C:\Program Files\AVSMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 12:37 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Spyware Terminator
2008-04-08 12:27 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-07 15:41 --------- d-----w C:\Program Files\COMODO
2008-04-07 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-07 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-07 07:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 22:22 --------- d-----w C:\Program Files\Trellian
2008-04-06 20:11 --------- d-----w C:\Documents and Settings\Viewer\Application Data\AVG7
2008-04-06 17:14 --------- d-----w C:\Documents and Settings\Viewer\Application Data\uTorrent
2008-03-24 12:48 --------- d-----w C:\Documents and Settings\Viewer\Application Data\ColorCop
2008-03-21 17:11 --------- d-----w C:\Program Files\Ontrack
2008-03-19 17:45 --------- d-----w C:\Program Files\Java
2008-03-10 13:09 --------- d-----w C:\Documents and Settings\Viewer\Application Data\EditPlus 2
2008-03-09 21:00 --------- d-----w C:\Program Files\Avidemux 2.4
2008-03-09 21:00 --------- d-----w C:\Documents and Settings\Viewer\Application Data\gtk-2.0
2008-03-09 13:09 --------- d-----w C:\Documents and Settings\Viewer\Application Data\BitTyrant
2008-03-09 09:05 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Comodo
2008-03-08 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-03-07 22:06 --------- d-----w C:\Program Files\uTorrent
2008-03-07 20:10 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-07 18:40 --------- d-----w C:\Program Files\PaintShopPro7
2008-03-07 18:39 --------- d-----w C:\Program Files\Jasc Software Inc
2008-03-07 09:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 06:48 --------- d-----w C:\Program Files\BitTyrant
2008-03-06 22:28 --------- d-----w C:\Program Files\TopStyle3
2008-03-06 22:25 --------- d-----w C:\Program Files\Allaire
2008-03-06 22:11 --------- d-----w C:\Documents and Settings\Viewer\Application Data\JGsoft
2008-03-06 22:09 --------- d-----w C:\Program Files\JGsoft
2008-03-06 16:36 --------- d-----w C:\Program Files\Macromedia
2008-03-06 16:36 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-03-06 03:50 --------- d-----w C:\Program Files\dBpowerAMP
2008-03-06 03:49 167,424 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-06 03:22 --------- d-----w C:\Program Files\SRS Labs
2008-03-06 03:22 --------- d-----w C:\Program Files\Common Files\SRS Labs Shared
2008-03-06 03:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-03-06 03:13 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Blumentals
2008-03-06 03:11 --------- d-----w C:\Program Files\Virtual Mechanics
2008-03-06 02:06 --------- d-----w C:\Program Files\Arachnophilia
2008-03-05 11:05 --------- d-----w C:\Program Files\MediaCoder
2008-03-05 11:00 --------- d-----w C:\Program Files\zweistein
2008-03-05 10:32 --------- d-----w C:\Program Files\Thugs at Bay
2008-03-05 10:24 --------- d-----w C:\Program Files\AVIedit
2008-03-05 05:07 --------- d-----w C:\Program Files\URUSoft
2008-03-05 02:51 --------- d-----w C:\Program Files\Revo Uninstaller
2008-03-04 15:22 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-04 15:21 307,968 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-04 15:21 --------- d-----w C:\Documents and Settings\Viewer\Application Data\TuneUp Software
2008-03-04 15:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-04 04:28 --------- d-----w C:\Program Files\EditPlus 2
2008-03-03 16:42 --------- d-----w C:\Program Files\EmEditor
2008-03-03 15:20 --------- d-----w C:\Program Files\metapad
2008-03-03 06:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-03 06:42 --------- d-----w C:\Program Files\Lavasoft
2008-03-03 04:19 --------- d-----w C:\Program Files\TextPad 5
2008-03-03 04:13 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Helios
2008-03-01 01:34 --------- d-----w C:\Program Files\UltraEdit
2008-02-29 17:36 --------- d-----w C:\Program Files\CCleaner
2008-02-29 14:21 --------- d-----w C:\Program Files\WinHTTrack
2008-02-29 06:34 --------- d-----w C:\Program Files\zabkat
2008-02-28 12:47 --------- d-----w C:\Program Files\Ulead SmartSaver Pro 2.0
2008-02-28 12:05 --------- d-----w C:\Program Files\Foxit Software
2008-02-27 18:15 28,416 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2008-02-27 10:41 --------- d-----w C:\Documents and Settings\Viewer\Application Data\vlc
2008-02-27 04:42 --------- d-----w C:\Program Files\VLC
2008-02-26 19:17 --------- d-----w C:\Program Files\Crimson Editor
2008-02-24 22:12 --------- d-----w C:\Program Files\MaxMem
2008-02-24 20:52 --------- d-----w C:\Program Files\SpyBlocker Software
2008-02-23 17:22 --------- d-----w C:\Program Files\Azureus
2008-02-23 16:27 --------- d-----w C:\Documents and Settings\Viewer\Application Data\LimeWire
2008-02-23 03:48 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Winamp
2008-02-23 02:54 --------- d-----w C:\Program Files\Winamp
2008-02-23 01:47 --------- d-----w C:\Program Files\LimeWire
2008-02-23 01:02 --------- d-----w C:\Documents and Settings\Viewer\Application Data\NoteTab Pro
2008-02-23 00:07 --------- d-----w C:\Program Files\NoteTab Pro Trial
2008-02-22 14:20 --------- d-----w C:\Program Files\KompoZer
2008-02-22 14:14 --------- d-----w C:\Program Files\Star Downloader
2008-02-22 12:17 --------- d-----w C:\Program Files\Mmm
2008-02-22 12:16 --------- d-----w C:\Program Files\Index.dat Suite
2008-02-22 12:11 --------- d-----w C:\Program Files\a-squared Free
2008-02-22 10:59 --------- d-----w C:\Program Files\ScrubXP
2008-02-22 10:57 --------- d-----w C:\Program Files\ContextMenuEditor
2008-02-22 09:32 --------- d-----w C:\Program Files\ShellExView
2008-02-22 03:57 --------- d-----w C:\Program Files\Xenu
2008-02-22 03:33 --------- d-----w C:\Documents and Settings\Viewer\Application Data\VSRevoGroup
2008-02-22 02:57 --------- d-----w C:\Program Files\PSPad editor
2008-02-22 02:57 --------- d-----w C:\Documents and Settings\Viewer\Application Data\PSpad
2008-02-22 02:55 --------- d-----w C:\Program Files\Artweaver 0.4
2008-02-22 02:55 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Artweaver
2008-02-22 02:39 --------- d-----w C:\Program Files\Serif
2008-02-21 08:20 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-02-21 08:18 --------- d-----w C:\Program Files\IcoFX 1.5
2008-02-21 08:18 --------- d-----w C:\Documents and Settings\Viewer\Application Data\IcoFX
2008-02-21 08:17 --------- d-----w C:\Program Files\UltraExplorer
2008-02-21 08:16 --------- d-----w C:\Program Files\ExplorerXP
2008-02-21 08:10 --------- d-----w C:\Program Files\IconTweaker
2008-02-21 08:10 --------- d-----w C:\Documents and Settings\Viewer\Application Data\IconTweaker
2008-02-21 08:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\IconTweaker
2008-02-21 08:09 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Trellian
2008-02-21 08:06 --------- d-----w C:\Program Files\Nvu
2008-02-21 08:06 --------- d-----w C:\Documents and Settings\Viewer\Application Data\Nvu
2006-10-20 04:12 108 --sha-r C:\WINDOWS\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34 128000]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Spybot-S&D Security Center launcher"="C:\Program Files\Spybot - Search & Destroy\SDMain.exe" [2008-01-28 11:43 414544]
"Spyware Terminator Realtime Shield"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe" [2008-02-18 04:53 2957824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-27 23:14 8429568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16:27 16132608 C:\WINDOWS\RTHDCPL.EXE]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"SpyBlocker"="C:\Program Files\SpyBlocker Software\spyblocker.exe" [2002-01-12 01:24 1720320]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-11 11:57 2684280]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-20 22:36 579072]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-18 04:53 2957824]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49 338432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-20 22:36 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Viewer\Start Menu\Programs\Startup\
Dialog Helper.lnk - C:\Program Files\VCOM\PowerDesk\pddlghlp.exe [2004-08-02 17:55:12 40960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FileBox eXtender.lnk - C:\Program Files\FileBX\FileBX.exe [2007-12-18 13:18:03 446464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 15 (0xf)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= C:\Program Files\zweistein\0.958\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\zweistein\0.958\686\tabdec.dll
"vidc.444p"= C:\Program Files\zweistein\0.958\686\tabdec.dll
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"msacm.ac3acm"= AC3ACM.acm
"vidc.dvsd"= mcdvd_32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ussshreg"=C:\PROGRA~1\ULEADS~1.0\Ussshreg.exe /r
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\SpyBlocker Software\\spyblocker.exe"=
"C:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\BitTyrant\\Azureus.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\UltraEdit\\UEDIT32.EXE"=

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-02-18 04:53]
R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 09:00]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-04 11:21]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 18:06:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"
.
Completion time: 2008-04-08 18:06:53
ComboFix-quarantined-files.txt 2008-04-08 22:06:46
ComboFix2.txt 2008-04-06 21:54:15
Pre-Run: 177,923,764,224 bytes free
Post-Run: 177,909,293,056 bytes free
.
2008-02-25 09:20:05 --- E O F ---

Attached Files

0408hijackthis.txt 9.87KB 105 downloads

#10
Essexboy

Posted 09 April 2008 - 01:32 PM

GeekU Moderator

Retired Staff
69,964 posts

Don't you just hate time zones

You may now replace your hammer back in the garage

that one little click here to fix it all button located on the round tummy of a cute cartoon helpmouse is just not going to happen. At least not this week.

I wish

OK the screamings are because I had a blonde moment and did not get you to disable your resident spyware, which then did it's job and stopped me changing your registry

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

You will also need to disable Ad-Watch Real-Time Scanner which is part of Ad-Aware

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

NEXT

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\rictions.dll
C:\WINDOWS\system32\ions.dll
C:\408
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\didduid.ini
C:\Program Files\QdrModule
C:\Documents and Settings\All Users\Application Data\zyzujypg.dll
C:\WINDOWS\system32\s.dll
Purity

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- File - Additional Folder Scans
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

I should think the light at the end of the tunnel is gettiing quite large now - Could you let me know how your system is performing now

#11
MoonBloo

Posted 09 April 2008 - 02:15 PM

Member

Topic Starter
Member
27 posts

I do not participate in time zones on general principle. I believe they are bad for the complexion, and probably attract bees.

This whole thing has been one long blonde moment for me. When my beloved new machine is finally returned to health, I will set about addressing the "How Could This Possibly Happen to Such a Cautious Person as Myself?" issue, and yes, I have already read the recommended article on the topic, but for now:

When I put the stuff into the OTMoveit window, and clicked MoveIt, OTMoveit closed immediately, and did not leave any sort of logfile. I tried it three times, and each time obtained the same unsatisfying, and mystifying, result.

Then I rebooted, leaving disabled all the anti-things, after rebooting, I did turn back on all the Ad-Watch ones, and taskbar is still present, the only change I noticed is that one of the antis asked if I would let something change my home page from google to msn blah blah, I said no, started MYIE (an MS Exploder overlay that is now Maxthon, but I like this old version and so I use it) and it did indeed go to google.

So a little progress, sorta, but I looked into the OTMoveit directory, and it had moved nothing. Which I suspected would be the case, since it just closed when I hit the run button.
Below is are the "pre-fix" hijackthis log, and I have attached the OTScanit log (I went ahead and did OTScanit after the OTMoveit failure, or apparent failure, anyway).

What do I do next, Most Noble Knight of Essex?

===========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:54 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\stufffromoldputer\browserstuff\myie2final\MyIE.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\0407\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Spybot-S&D Security Center launcher] C:\Program Files\Spybot - Search & Destroy\SDMain.exe
O4 - HKCU\..\Run: [Spyware Terminator Realtime Shield] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2DA5F47-F3FD-46FD-85B5-904C9B57A3A2}: NameServer = 205.152.37.23 205.152.144.23
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10079 bytes

Attached Files

0409OTScanIt.Txt 172.81KB 120 downloads

#12
Essexboy

Posted 09 April 2008 - 02:36 PM

GeekU Moderator

Retired Staff
69,964 posts

I do not participate in time zones on general principle. I believe they are bad for the complexion, and probably attract bees.

OK we are now just out for the kill on the minority

If OTScanit does not kill them this time I will use my softish hammer (no damage will be done to anything physical )

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

All those registry entries need to go so do not let your other programmes stop them

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 30 days]
NY -> ntnut32.exe -> %SystemRoot%\System32\ntnut32.exe
NY -> s.dll -> %SystemRoot%\System32\s.dll
NY -> shdocpe.dll -> %SystemRoot%\System32\shdocpe.dll
NY -> SIPSPI32.dll -> %SystemRoot%\System32\SIPSPI32.dll
NY -> 123messenger.per -> %SystemRoot%\123messenger.per
NY -> apphelp32.dll -> %SystemRoot%\apphelp32.dll
NY -> asferror32.dll -> %SystemRoot%\asferror32.dll
NY -> asycfilt32.dll -> %SystemRoot%\asycfilt32.dll
NY -> athprxy32.dll -> %SystemRoot%\athprxy32.dll
NY -> ati2dvaa32.dll -> %SystemRoot%\ati2dvaa32.dll
NY -> ati2dvag32.dll -> %SystemRoot%\ati2dvag32.dll
NY -> audiosrv32.dll -> %SystemRoot%\audiosrv32.dll
NY -> autodisc32.dll -> %SystemRoot%\autodisc32.dll
NY -> avifile32.dll -> %SystemRoot%\avifile32.dll
NY -> avisynthex32.dll -> %SystemRoot%\avisynthex32.dll
NY -> aviwrap32.dll -> %SystemRoot%\aviwrap32.dll
NY -> browserad.dll -> %SystemRoot%\browserad.dll
NY -> changeurl_30.dll -> %SystemRoot%\changeurl_30.dll
NY -> CMDLIC.DLL -> %SystemRoot%\CMDLIC.DLL
NY -> didduid.ini -> %SystemRoot%\didduid.ini
NY -> FLEOK -> %SystemRoot%\FLEOK
NY -> msa64chk.dll -> %SystemRoot%\msa64chk.dll
NY -> ntnut.exe -> %SystemRoot%\ntnut.exe
NY -> pixwfcho.dll -> %SystemRoot%\pixwfcho.dll
NY -> shdocpe.dll -> %SystemRoot%\shdocpe.dll
NY -> shdocpl.dll -> %SystemRoot%\shdocpl.dll
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> zyzujypg.dll -> %AllUsersProfile%\Application Data\zyzujypg.dll
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#13
MoonBloo

Posted 09 April 2008 - 03:02 PM

Member

Topic Starter
Member
27 posts

When I ran hijackthis, it only had one of the ones on the list, so I checked it, and here are the pre and post fix hijack this logs.

I then pasted the fix into OTScanit and clicked run fix. It replied that it was doing that, and then apparently stalled out, like it did before, creating no file. But this time I did not give it 20 minutes, I gave it about 2, then closed it and rebooted.

Then I ran OTScanit again, and attached is the log.

Oh, from the previous operations, I also meant to tell you that the directory called "408" is one I created to hold files associated with these events, and it also happens to contain the OTMoveit program, but even when I took that out of the list, it still closed immediately, so it was not a case of refusing to move itself, which would be more than reasonable.

I will give OTMoveit its own directory, though, to avoid offending it in the future.

Hijackthis pre-fix
==============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:59 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MYIE\MyIE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\0407\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Spybot-S&D Security Center launcher] C:\Program Files\Spybot - Search & Destroy\SDMain.exe
O4 - HKCU\..\Run: [Spyware Terminator Realtime Shield] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2DA5F47-F3FD-46FD-85B5-904C9B57A3A2}: NameServer = 205.152.37.23 205.152.144.23
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9037 bytes
==============

Hijackthis post-fix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:12 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\FileBX\FileBX.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\0407\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Spybot-S&D Security Center launcher] C:\Program Files\Spybot - Search & Destroy\SDMain.exe
O4 - HKCU\..\Run: [Spyware Terminator Realtime Shield] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Global Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2DA5F47-F3FD-46FD-85B5-904C9B57A3A2}: NameServer = 205.152.37.23 205.152.144.23
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8798 bytes

Attached Files

0409bOTScanIt.Txt 103.23KB 145 downloads

#14
Essexboy

Posted 09 April 2008 - 03:19 PM

GeekU Moderator

Retired Staff
69,964 posts

OK little hammer time

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
%SystemRoot%\System32\s.dll
%SystemRoot%\System32\shdocpe.dll
%SystemRoot%\System32\SIPSPI32.dll
%SystemRoot%\123messenger.per
%SystemRoot%\apphelp32.dll
%SystemRoot%\asferror32.dll
%SystemRoot%\asycfilt32.dll
%SystemRoot%\athprxy32.dll
%SystemRoot%\ati2dvaa32.dll
%SystemRoot%\ati2dvag32.dll
%SystemRoot%\audiosrv32.dll
%SystemRoot%\autodisc32.dll
%SystemRoot%\avifile32.dll
%SystemRoot%\avisynthex32.dll
%SystemRoot%\aviwrap32.dll
%SystemRoot%\didduid.ini
%SystemRoot%\msa64chk.dll
%SystemRoot%\ntnut.exe
%SystemRoot%\pixwfcho.dll
%SystemRoot%\shdocpe.dll
%SystemRoot%\shdocpl.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

How is your system now any further problems or is it getting better ?

#15
MoonBloo

Posted 09 April 2008 - 03:38 PM

Member

Topic Starter
Member
27 posts

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System32\s.dll" deleted successfully.
File "C:\WINDOWS\System32\shdocpe.dll" deleted successfully.
File "C:\WINDOWS\System32\SIPSPI32.dll" deleted successfully.
File "C:\WINDOWS\123messenger.per" deleted successfully.
File "C:\WINDOWS\apphelp32.dll" deleted successfully.
File "C:\WINDOWS\asferror32.dll" deleted successfully.
File "C:\WINDOWS\asycfilt32.dll" deleted successfully.
File "C:\WINDOWS\athprxy32.dll" deleted successfully.
File "C:\WINDOWS\ati2dvaa32.dll" deleted successfully.
File "C:\WINDOWS\ati2dvag32.dll" deleted successfully.
File "C:\WINDOWS\audiosrv32.dll" deleted successfully.
File "C:\WINDOWS\autodisc32.dll" deleted successfully.
File "C:\WINDOWS\avifile32.dll" deleted successfully.
File "C:\WINDOWS\avisynthex32.dll" deleted successfully.
File "C:\WINDOWS\aviwrap32.dll" deleted successfully.
File "C:\WINDOWS\didduid.ini" deleted successfully.
File "C:\WINDOWS\msa64chk.dll" deleted successfully.
File "C:\WINDOWS\ntnut.exe" deleted successfully.
File "C:\WINDOWS\pixwfcho.dll" deleted successfully.
File "C:\WINDOWS\shdocpe.dll" deleted successfully.
File "C:\WINDOWS\shdocpl.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.