Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Downloader.xs, not desktop and no toolbar [RESOLVED]

Started by medt , Apr 08 2008 06:11 AM

This topic is locked

#1
medt

Posted 08 April 2008 - 06:11 AM

Member

Member
77 posts

I am so worried, if anyone can help, please let me know. I see nothing on my desktop at all and the only way I got onto the internet was through a security warning that popped up. THANKS a lot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:10 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://contentpurity...xp/ScanFile.CAB
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://contentpurity...s/FileClean.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9036 bytes

Edited by medt, 08 April 2008 - 07:04 AM.

#2
kahdah

Posted 08 April 2008 - 11:03 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello medt

Welcome to G2Go.

=====================
The first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
AVG free
=====================================
Download ComboFix from one of the locations below, and save it to your Desktop (or in your case you can just click on run when you are prompted to save or run the file).

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
medt

Posted 08 April 2008 - 09:13 PM

Member

Topic Starter
Member
77 posts

Thank you for your time and I am sorry it has taken me this long to get back to you. My computer would not let me do anything or get back to sites, etc. No desktop display, toolbars, nothing, and I had to have a technician come over and get that part fixed. I am having another problem though after he left with "cannot display this page" and will be posting as a new topic. THANKS again

#4
kahdah

Posted 09 April 2008 - 03:23 AM

GeekU Teacher

Retired Staff
15,822 posts

Ok if you would still like me to look the computer over for leftovers please post a Hijackthis log.

#5
medt

Posted 09 April 2008 - 06:57 AM

Member

Topic Starter
Member
77 posts

Okay here it is. I cannot get on my pages that need me to sign in with a password. I get Cannot Display Page. THANKS again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:03 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7546 bytes

#6
kahdah

Posted 09 April 2008 - 09:41 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#7
medt

Posted 09 April 2008 - 10:03 AM

Member

Topic Starter
Member
77 posts

Okay here ya go: The first one is Maintxt notepad

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-09 11:59:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
99: 2008-04-09 15:59:22 UTC - RP1801 - Deckard's System Scanner Restore Point
98: 2008-04-09 03:30:15 UTC - RP1800 - Software Distribution Service 3.0
97: 2008-04-08 17:04:06 UTC - RP1799 - Installed AVG 7.5
96: 2008-04-08 15:49:39 UTC - RP1798 - Removed Logitech Desktop Messenger
95: 2008-04-08 03:14:05 UTC - RP1797 - System Checkpoint

-- First Restore Point --
1: 2008-01-11 14:47:56 UTC - RP1703 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:19 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7534 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080408-100653-191 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080408-100653-255 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080408-100653-272 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
backup-20080408-100653-273 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080408-100653-334 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080408-100653-341 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080408-100653-375 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080408-100653-447 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080408-100653-492 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080408-100653-520 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080408-100653-526 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080408-100653-541 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080408-100653-548 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080408-100653-586 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080408-100653-593 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080408-100653-601 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080408-100653-698 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080408-100653-725 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20080408-100653-832 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080408-100653-924 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080408-100653-981 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
backup-20080408-100654-183 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
backup-20080408-100654-368 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
backup-20080408-100655-183 O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) - http://contentpurity...s/FileClean.CAB
backup-20080408-100655-330 O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://contentpurity...xp/ScanFile.CAB
backup-20080408-100655-653 O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup141.cab
backup-20080408-123903-148 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080408-123903-244 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080408-123903-317 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080408-123903-345 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
backup-20080408-123903-409 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080408-123903-516 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080408-123903-563 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080408-123903-588 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080408-123903-644 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080408-123903-676 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080408-123903-740 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080408-123903-757 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080408-123903-819 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080408-123903-826 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080408-123903-849 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\wmsdkns.exe,,C:\WINDOWS\system32\userinit.exe
backup-20080408-123903-881 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S4 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 GoToMyPC -
S3 LWWLicenseService - "c:\program files\common files\wolterskluwerlww shared\service\lwwlicenseservice.exe" <Not Verified; WoltersKluwerLWW; LWWLicenseService>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Lucent Win Modem
Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&1A671D0C&0&58F0
Manufacturer: Lucent
Name: Lucent Win Modem
PNP Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&1A671D0C&0&58F0
Service: Modem

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SPS1____\5&343FF6CE&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: LITE-ON LTR-48246S
PNP Device ID: IDE\CDROMLITE-ON_LTR-48246S______________________SPS1____\5&343FF6CE&0&0.0.0
Service: cdrom

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMJLMS_DVD-ROM_LTD-166S___________________DPS2____\5&343FF6CE&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: JLMS DVD-ROM LTD-166S
PNP Device ID: IDE\CDROMJLMS_DVD-ROM_LTD-166S___________________DPS2____\5&343FF6CE&0&0.1.0
Service: cdrom

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: MPU-401 Compatible MIDI Device
Device ID: ROOT\MEDIA\0001
Manufacturer: Microsoft
Name: MPU-401 Compatible MIDI Device
PNP Device ID: ROOT\MEDIA\0001
Service: ms_mpu401

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Game port for MediaVision
Device ID: ROOT\MEDIA\0002
Manufacturer: MediaVision Inc.
Name: Game port for MediaVision
PNP Device ID: ROOT\MEDIA\0002
Service: gameenum

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Direct Parallel
Device ID: ROOT\MS_PTIMINIPORT\0000
Manufacturer: Microsoft
Name: Direct Parallel
PNP Device ID: ROOT\MS_PTIMINIPORT\0000
Service: Raspti

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (ATW)
Device ID: ROOT\NET\0000
Manufacturer: America Online, Inc.
Name: WAN Miniport (ATW)
PNP Device ID: ROOT\NET\0000
Service: wanatw

-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 06:00:00 288 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-04-07 19:19:14 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 09:29:58 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-08 15:57:13 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-08 15:25:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 13:55:11 0 dr-h----- C:\$VAULT$.AVG
2008-04-08 13:05:07 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-08 13:04:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 13:04:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 11:17:03 17664 --a------ C:\WINDOWS\mssvr.exe
2008-04-08 09:50:04 0 d-------- C:\Program Files\CCleaner
2008-04-08 08:10:50 0 d-------- C:\Program Files\Trend Micro
2008-04-07 18:39:10 31744 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-07 18:39:09 31488 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-07 16:31:49 0 d-------- C:\Program Files\Sysmnt
2008-04-07 16:29:43 0 d-------- C:\Program Files\stc
2008-04-06 18:38:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-06 17:09:32 0 d-------- C:\3c0fc6caaa617172e2cfdd098e
2008-04-06 16:32:39 8960 --a------ C:\WINDOWS\apphelp32.dll
2008-04-06 10:24:32 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-05 22:46:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 22:46:00 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-05 15:22:04 26624 --a------ C:\WINDOWS\voiceip.dll
2008-04-05 15:22:03 27392 --a------ C:\WINDOWS\cdsm32.dll
2008-04-05 15:22:02 18432 --a------ C:\WINDOWS\mspphe.dll
2008-04-05 15:22:02 11520 --a------ C:\WINDOWS\bjam.dll
2008-04-05 15:21:58 14592 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-05 15:21:57 29696 --a------ C:\WINDOWS\msapasrc.dll
2008-04-05 15:21:57 30976 --a------ C:\WINDOWS\msa64chk.dll
2008-04-05 15:21:55 23552 --a------ C:\WINDOWS\shdocpl.dll
2008-04-05 15:21:55 29440 --a------ C:\WINDOWS\shdocpe.dll
2008-04-05 15:21:55 22528 --a------ C:\WINDOWS\ntnut.exe
2008-04-05 15:21:54 12032 --a------ C:\WINDOWS\winsb.dll
2008-04-05 15:21:54 27136 --a------ C:\WINDOWS\browserad.dll
2008-04-05 15:21:54 18432 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-05 15:21:54 15872 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-05 15:21:54 11520 --a------ C:\WINDOWS\avifile32.dll
2008-04-05 15:21:54 19968 --a------ C:\WINDOWS\autodisc32.dll
2008-04-05 15:21:54 31744 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-05 15:21:53 32000 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-05 15:21:53 9984 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-05 15:21:52 20224 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-05 15:21:52 18432 --a------ C:\WINDOWS\athprxy32.dll
2008-04-05 15:21:52 17664 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-05 15:21:52 13056 --a------ C:\WINDOWS\asferror32.dll
2008-03-28 16:08:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-20 13:35:50 0 d-------- C:\Program Files\Emdat
2008-03-19 18:55:05 0 d-------- C:\Program Files\eScription
2008-03-19 18:53:07 0 d-------- C:\EditScriptMSILogs
2008-03-19 18:51:54 0 d-------- C:\Documents and Settings\Owner\Logs

-- Find3M Report ---------------------------------------------------------------

2008-04-09 10:38:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-04-09 03:06:51 0 d-------- C:\Program Files\Common Files
2008-04-03 09:53:03 0 d-------- C:\Program Files\QLEDR05
2008-04-01 20:44:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Canon
2008-03-31 05:16:46 0 d-------- C:\Program Files\AIM6
2008-03-20 17:43:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Internet Explorer
2008-03-20 17:34:48 0 d-------- C:\Program Files\GoldPocket
2008-03-11 15:30:46 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-06 22:14:26 0 d-------- C:\Program Files\Java
2008-02-29 14:20:19 92464 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-24 11:53:35 0 d-------- C:\Program Files\Common Files\Motive
2008-02-23 09:56:54 0 d-------- C:\Documents and Settings\Owner\Application Data\yoclient
2008-02-15 17:19:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-01 23:49:01 30 --a------ C:\WINDOWS\popcinfo.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [06/03/2002 11:38 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/02/2004 09:03 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 08:59 AM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 02:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="NvQTwk" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/08/2008 01:04 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [1/14/2005 7:35:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp instant support.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8118 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-04-09 12:03:22 ------------

Here is the Extratxt notepad

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.53GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 503.48 MiB / 194.35 MiB
Pagefile Memory (total/avail): 1228.57 MiB / 877.22 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.09 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 108.36 GiB total, 79.32 GiB free.
D: is Fixed (FAT32) - 3.44 GiB total, 0.49 GiB free.

\\.\PHYSICALDRIVE0 - SAMSUNG SV1204H - 111.81 GiB - 2 partitions
\PARTITION0 - Unknown - 3.45 GiB - D:
\PARTITION1 (bootable) - Installable File System - 108.36 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KROSS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\KROSS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;c:\Python22;C:\Program Files\Sonic\MyDVD;C:\Program Files\eScription\EditScript;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=KROSS
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}\setup.exe" -l0x9 -L0x9anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2003 Quick Look Drug Reference --> C:\PROGRA~1\QLEDR03\UNWISE32.EXE C:\PROGRA~1\QLEDR03\INSTALL.LOG
2005 Quick Look Drug Reference --> C:\PROGRA~1\QLEDR05\UNWISE32.EXE C:\PROGRA~1\QLEDR05\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoBase 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}\setup.exe" -l0x9 -uninst
ArcSoft PhotoStudio 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}\setup.exe" -l0x9 -uninst
Audioworxs Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811DA72-7C3A-437D-85E2-742DB02034F6}\setup.exe" -l0x9
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Big Fish Games Client --> C:\Program Files\bfgclient\Uninstall.exe
Bytescribe WavPlayer --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bytescribe\WavPlayer4\DeIsL3.isu" -cC:\PROGRA~1\BYTESC~1\WAVPLA~1\_ISREG32.DLL
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9
CanoScan LiDE20,30 Manual --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B360A8E5-C171-4AAE-9777-65B3CDB0072C}\setup.exe" -l0x9
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Coloreal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE90251-93EB-4F6A-89D8-086E2D91DC56}\Setup.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Detto IntelliMover Demo --> MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
easy Internet sign-up --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\setup.exe" -l0x9
eFax Messenger 4.2 --> C:\Program Files\eFax Messenger 4.2\Uninstall.exe
eKnowledge ACT Standard --> C:\WINDOWS\eUninstall.exe ACT Standard
eKnowledge SAT Standard --> C:\WINDOWS\eUninstall.exe SAT Standard
Expresiv Network Client --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1F6257D6-0FC6-4AB3-8D9F-7F86E4BA9EF1} anything
GoToMeeting/GoToWebinar 3.0.0.190 --> C:\Program Files\Citrix\GoToMeeting\190\G2MUninstall.exe /uninstall
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 3600 --> MsiExec.exe /X{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192}
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe CeS
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
Indeo® Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Ipswitch WS_FTP LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3A31EEE-7C65-4EE6-BB0D-5549FD2D67B9}\setup.exe" -l0x9
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! for Windows XP --> MsiExec.exe /I{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OLYMPUS CAMEDIA Master 1.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OLYMPUS\CAMEDIA Master\Uninst.isu"
OmniPage SE --> MsiExec.exe /I{6249C22D-E6A8-407B-BA8B-40298848ED94}
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
Ready Reference Bookshelf --> MsiExec.exe /X{1C8646E4-DC54-4E6D-95EA-C3524B09223E}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shorthand 9 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Shorthand for Windows\Sh9\Sh9UNINST.ISU"
ShowBiz --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{07295ABF-1245-415A-BE06-863271753443}\Setup.exe" -l0x9
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stedman's Cardiology & Pulmonary Words, 5th Edition, on CD-ROM --> MsiExec.exe /I{269BFC06-FA5B-44D5-80B5-5A69D76666B1}
Stedman's Cardiovascular & Pulmonary (Shared Components) --> C:\Program Files\Common Files\WoltersKluwerLWW Shared\Uninstall\Stedmans Cardiovascular Pulmonary\B54DC000\UninstApplet.exe /uninstall
Stedman's Electronic Medical Dictionary 5.0 --> C:\PROGRA~1\SEMD50\UNWISE.EXE C:\PROGRA~1\SEMD50\INSTALL.LOG
True Internet Color --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\E-Color\True Internet Color\Uninst.isu" -c"C:\Program Files\E-Color\True Internet Color\TICUninstall.dll"
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WavPlayer 4.3 USB --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bytescribe\WavPlayer4\DeIsL2.isu" -cC:\PROGRA~1\BYTESC~1\WAVPLA~1\_ISREG32.DLL
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Webshots Desktop --> C:\PROGRA~1\Webshots\UNWISE.EXE C:\PROGRA~1\Webshots\INSTALL.LOG
Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Word Craft --> C:\PROGRA~1\SHOCKW~1.COM\WORDCR~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\WORDCR~1\INSTALL.LOG
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

-- Application Event Log -------------------------------------------------------

Event Record #/Type120769 / Error
Event Submitted/Written: 04/09/2008 11:20:57 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application cwshredder.exe, version 2.19.0.1099, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type120767 / Warning
Event Submitted/Written: 04/09/2008 10:26:13 AM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type120766 / Warning
Event Submitted/Written: 04/09/2008 10:26:13 AM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type120760 / Error
Event Submitted/Written: 04/09/2008 09:21:04 AM
Event ID/Source: 3024 / Windows Search Service
Event Description:
Context: Windows Application, SystemIndex Catalog

Event Record #/Type120759 / Warning
Event Submitted/Written: 04/09/2008 09:21:04 AM
Event ID/Source: 3036 / Windows Search Service
Event Description:
Context: Windows Application, SystemIndex Catalog

Details:
The filtering process has been terminated (0x80040db4)
c:\documents and settings\

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type1374 / Error
Event Submitted/Written: 04/09/2008 03:08:05 AM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

Event Record #/Type1295 / Error
Event Submitted/Written: 04/08/2008 04:14:14 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

Event Record #/Type1290 / Error
Event Submitted/Written: 04/08/2008 04:02:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1289 / Error
Event Submitted/Written: 04/08/2008 03:56:52 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type1288 / Error
Event Submitted/Written: 04/08/2008 03:56:52 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

-- End of Deckard's System Scanner: finished at 2008-04-09 12:03:22 ------------

#8
kahdah

Posted 09 April 2008 - 10:14 AM

GeekU Teacher

Retired Staff
15,822 posts

Please uninstall this >Norton Internet Worm Protection v2006
=========================================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

#9
medt

Posted 09 April 2008 - 10:40 AM

Member

Topic Starter
Member
77 posts

Hi I have to leave for about 2 hours, but will be back and do what you told me to do. THANKS

#10
medt

Posted 09 April 2008 - 12:52 PM

Member

Topic Starter
Member
77 posts

Where do I go to uninstall Norton. I did not even know I had it and I did a search for the file and it is not showing it. THANKS and I will be posting my other stuff in a minute.

#11
medt

Posted 09 April 2008 - 01:22 PM

Member

Topic Starter
Member
77 posts

Hi here is the logtxt notepad result. I did not know where to uninstall Norton as I did not know I had it and I cannot find it on my system.

ComboFix 08-04-08.10 - Owner 2008-04-09 15:16:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.199 [GMT -4:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\ymsgsmx.dll
C:\WINDOWS\voiceip.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 11:58 . 2008-04-09 11:58 <DIR> d-------- C:\Deckard
2008-04-09 10:25 . 2008-04-09 10:25 67 --a------ C:\Ntf4.tmp
2008-04-09 10:25 . 2008-04-09 10:25 67 --a------ C:\Ntf3.tmp
2008-04-09 09:48 . 2001-08-23 01:00 68,608 --a--c--- C:\WINDOWS\system32\dllcache\plugin.ocx
2008-04-08 16:54 . 2008-04-08 16:54 67 --a------ C:\Ntf2.tmp
2008-04-08 16:54 . 2008-04-08 16:54 67 --a------ C:\Ntf1.tmp
2008-04-08 16:50 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-04-08 16:50 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-04-08 15:25 . 2008-04-08 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-08 13:05 . 2008-04-09 11:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 13:04 . 2008-04-08 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 12:43 . 2008-04-08 12:43 17,664 --a------ C:\WINDOWS\123messenger.per
2008-04-08 09:50 . 2008-04-08 09:50 <DIR> d-------- C:\Program Files\CCleaner
2008-04-08 08:10 . 2008-04-08 08:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-07 18:39 . 2008-04-07 18:39 31,744 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-07 18:39 . 2008-04-07 18:39 31,488 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-07 11:10 . 2008-04-07 11:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-07 00:46 . 2008-04-07 00:46 3,428 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-06 18:38 . 2008-04-08 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-06 17:17 . 2007-03-29 08:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-06 17:17 . 2007-03-29 08:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-04-06 16:32 . 2008-04-06 16:32 8,960 --a------ C:\WINDOWS\apphelp32.dll
2008-04-06 10:24 . 2008-04-06 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-05 22:46 . 2008-04-06 10:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-05 22:46 . 2008-04-05 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-05 15:05 . 2001-08-23 01:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-04 21:59 . 2008-04-04 21:59 3,262 --a------ C:\WINDOWS\favicon.ico
2008-04-04 16:32 . 2008-04-04 16:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 16:32 . 2008-04-04 16:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 16:09 . 2007-03-08 00:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-28 16:09 . 2007-03-08 00:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-28 16:08 . 2008-03-28 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-28 16:05 . 2007-05-02 06:03 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-03-28 16:04 . 2007-03-15 15:32 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-03-28 16:03 . 2007-03-08 00:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-03-28 15:56 . 2007-05-02 04:56 954,368 -ra------ C:\WINDOWS\system32\hpotiop5.dll
2008-03-28 15:56 . 2007-05-02 05:01 675,840 -ra------ C:\WINDOWS\system32\hpowiax5.dll
2008-03-28 15:56 . 2007-03-08 00:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-03-28 15:56 . 2007-03-08 00:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-03-28 15:56 . 2007-05-02 05:00 303,104 -ra------ C:\WINDOWS\system32\hpovst12.dll
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-28 15:46 . 2004-08-04 02:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-20 13:35 . 2008-03-20 13:37 <DIR> d-------- C:\Program Files\Emdat
2008-03-19 18:55 . 2008-03-19 18:55 <DIR> d-------- C:\Program Files\eScription
2008-03-19 18:53 . 2008-03-19 18:53 <DIR> d-------- C:\EditScriptMSILogs
2008-03-19 18:51 . 2008-03-19 18:51 <DIR> d-------- C:\Documents and Settings\Owner\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 03:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 13:53 --------- d-----w C:\Program Files\QLEDR05
2008-04-02 00:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-03-31 09:16 --------- d-----w C:\Program Files\AIM6
2008-03-31 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-31 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-20 21:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Internet Explorer
2008-03-20 21:34 --------- d-----w C:\Program Files\GoldPocket
2008-03-07 02:14 --------- d-----w C:\Program Files\Java
2008-02-29 18:20 92,464 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-24 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2008-02-24 15:53 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-24 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-02-23 13:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-15 21:19 --------- d-----w C:\Program Files\Common Files\Adobe
2006-06-12 14:44 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\{567E7211-6D64-4C22-A829-C17F03F58257}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\{DD873066-2B14-49AB-86D8-F895ABD1AF85}.dat
2003-08-28 12:32 32 --sha-w C:\WINDOWS\system32\{5CE9ABEA-F241-4815-91A6-306832FBAEA5}.dat
2003-08-31 19:33 32 --sha-w C:\WINDOWS\system32\{AF9B2B6F-5424-49AB-8D25-94F7D34E018B}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 03:39 548933 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="NvQTwk" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-08 13:04 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-08 13:04 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-01-14 19:35:56 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp instant support.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
--a------ 2006-07-14 16:36 107008 C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 23:19:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-09 10:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 15:20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1639 bytes
C:\WINDOWS\system32\clbdll.dll 28672 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
Completion time: 2008-04-09 15:22:21
ComboFix-quarantined-files.txt 2008-04-09 19:21:36
Pre-Run: 85,077,716,992 bytes free
Post-Run: 85,110,931,456 bytes free
.
2008-04-09 03:35:15 --- E O F ---

Here is the Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:43 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsou...oad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - https://www.transcen...bs/wspellam.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellso...aller_4-2-1.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://games.king.co...l/kingcomie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163622349703
O16 - DPF: {AFABF0F0-C13E-4AB2-A1A5-8A8101D38155} (BTClientWorkstation.BeyondTXTClient) - http://workportal.tr...ndTXTClient.CAB
O16 - DPF: {BEB82CC6-09F3-43EA-BEB1-97188E21035D} (FootPedalCtl Class) - http://philicast1.mt...d/footpedal.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.to...0.18/ttinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcimt.webex....ort/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7499 bytes

#12
kahdah

Posted 09 April 2008 - 07:39 PM

GeekU Teacher

Retired Staff
15,822 posts

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

#13
kahdah

Posted 09 April 2008 - 07:41 PM

GeekU Teacher

Retired Staff
15,822 posts

You can uninstall Norton this way.
Go to Start >Control Panel>Add\Remove programs.

Click on Norton Internet Worm Protection v2006 then click on remove then follow the prompts to uninstall it.

#14
medt

Posted 09 April 2008 - 08:06 PM

Member

Topic Starter
Member
77 posts

Hi I will do what you suggested about recovery in the morning. I also checked and Norton is no where to be found where you told me to look. I even did a search for file and nothing comes up for Norton or Symantec. I do not know where it is hiding.