Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

IE very slow. [RESOLVED]


  • This topic is locked This topic is locked

#16
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
ok, here you go

Deckard's System Scanner v20071014.68
Run by Dad on 2008-05-08 20:36:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
118: 2008-05-09 00:36:52 UTC - RP298 - Deckard's System Scanner Restore Point
117: 2008-05-08 21:42:08 UTC - RP297 - ComboFix created restore point
116: 2008-05-08 02:33:54 UTC - RP296 - ComboFix created restore point
115: 2008-05-07 23:57:48 UTC - RP295 - ComboFix created restore point
114: 2008-05-07 01:28:44 UTC - RP294 - System Checkpoint


-- First Restore Point --
1: 2008-05-02 18:06:34 UTC - RP181 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Dad.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:01 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\desktop\dss.exe
C:\HIJACK~1\Dad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4563 bytes

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20060820-022332-844 O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
backup-20060820-094918-561 R3 - Default URLSearchHook is missing
backup-20060820-094918-632 O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
backup-20060820-094918-790 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-095056-456 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-100103-399 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-490 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-544 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141128-196 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20060820-141128-801 O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20060820-141128-973 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141159-241 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20061015-182815-996 O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
backup-20061230-163949-110 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-137 O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-199 O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll (file missing)
backup-20061230-163949-398 O4 - HKLM\..\Run: [once balm 64 title] C:\Documents and Settings\All Users\Application Data\Vga audio once balm\axisblah.exe
backup-20061230-163949-523 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-567 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061230-163949-614 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-163949-743 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-163949-815 O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-826 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-981 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-164023-727 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-170622-180 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-381 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-559 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-710 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-785 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-901 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-909 O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
backup-20061230-170711-149 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-332 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170711-339 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-409 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-839 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-886 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-232 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-315 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-407 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-450 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-628 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-717 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-916 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-023455-254 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-286 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-463 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-023455-557 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-649 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-256 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-441 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-032204-522 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-544 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-604 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-156 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-424 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-150340-520 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-561 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-622 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-150340-781 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-864 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-420 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-575 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-687 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-152645-784 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-795 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-152645-878 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-886 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
backup-20061231-152645-970 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-147 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-250 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-161948-627 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-741 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-784 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-161948-848 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-962 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20070119-102704-965 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20070129-181308-492 O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Dad\Local Settings\Application Data\hrcopul.dll",vuljcec
backup-20071026-002019-312 O4 - HKLM\..\Run: [close surf mail dupe] C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\DVD CAKE.exe
backup-20071026-002019-394 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20071026-002019-486 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20071209-173124-352 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071209-173124-384 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071209-173124-572 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-651 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20071209-173124-655 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-747 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
backup-20071215-120627-151 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071215-120627-976 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080219-233558-628 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080219-233558-711 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080504-094051-779 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-094051-999 O4 - HKLM\..\Run: [fcc6b9cc] rundll32.exe "C:\WINDOWS\system32\koqslacq.dll",b
backup-20080504-095910-133 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
backup-20080504-095910-308 O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
backup-20080504-095910-779 O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
backup-20080504-095910-912 O23 - Service: MSN Auto-Update Util (MSNAuto-IT) - Unknown owner - C:\WINDOWS\system32\msnins.exe (file missing)
backup-20080504-095925-543 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-110434-856 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-160629-491 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
backup-20080504-160629-512 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080506-191616-129 O4 - HKLM\..\Run: [fcc6b9cc] rundll32.exe "C:\WINDOWS\system32\sqkxoica.dll",b
backup-20080506-191616-140 O2 - BHO: (no name) - {0A141622-E951-46AB-B35B-1B184C044689} - C:\WINDOWS\system32\mlJCSkhE.dll (file missing)
backup-20080506-191616-219 O20 - Winlogon Notify: iiffFyVL - iiffFyVL.dll (file missing)
backup-20080506-191616-223 O2 - BHO: {9374b6de-2c57-839b-ec44-81039f605410} - {014506f9-3018-44ce-b938-75c2ed6b4739} - C:\WINDOWS\system32\jljdopnn.dll (file missing)
backup-20080506-191616-315 O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - C:\WINDOWS\system32\iiffFyVL.dll (file missing)
backup-20080506-191616-920 O2 - BHO: (no name) - {654EDA56-A28C-4882-AAE8-6510FE4D7F82} - C:\WINDOWS\system32\ljJDUklL.dll (file missing)
backup-20080506-191616-952 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\fkujnmri.dll",s

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 ezplay (VSO Software ezplay) - c:\windows\system32\drivers\ezplay.sys <Not Verified; VSO Software; ezplay driver>
S3 RT2500 (RT2500 Wireless Driver) - c:\windows\system32\drivers\rt2500.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless PCI Adapters>
S3 Usblink (Usblink Driver) - c:\windows\system32\drivers\ulink.sys <Not Verified; ; USB SUPERLINK ADAPTER>
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys <Not Verified; VMware, Inc.; VMware virtual network adapter driver (32-bit)>
S3 Wdm1 (USB Bridge Cable Driver) - c:\windows\system32\drivers\usbbc.sys <Not Verified; ; PC-Linq Bridge Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" (file missing)
S2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Wireless LAN Card
Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_923016EF&REV_01\4&13699180&0&3848
Manufacturer: Ralink Technology, Inc.
Name: Wireless LAN Card
PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_923016EF&REV_01\4&13699180&0&3848
Service: RT2500


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-07 02:12:00 336 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Professional.job
2008-05-06 06:35:00 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-07 19:58:11 0 d-------- C:\cmdcons
2008-05-07 19:57:25 68096 --a------ C:\WINDOWS\zip.exe
2008-05-07 19:57:25 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-07 19:57:25 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-07 19:57:25 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-07 19:57:25 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-07 19:57:25 98816 --a------ C:\WINDOWS\sed.exe
2008-05-07 19:57:25 80412 --a------ C:\WINDOWS\grep.exe
2008-05-07 19:57:25 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 21:12:26 0 d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 19:07:58 0 d-------- C:\bfu
2008-05-05 20:36:09 0 d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:26:57 0 d-------- C:\Program Files\AVG
2008-05-05 20:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 16:20:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:20:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 09:38:15 0 d-------- C:\Program Files\Lavasoft
2008-05-03 09:38:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 18:20:55 0 dr-h----- C:\Documents and Settings\Dad\Recent
2008-04-12 11:30:15 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-10 18:46:43 0 d-------- C:\Documents and Settings\Lauren\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-08 17:37:06 0 d-------- C:\Program Files\LogMeIn
2008-05-07 22:49:56 0 d-------- C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-04 09:13:12 0 d-------- C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 09:37:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 17:52:07 0 d-------- C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-27 22:03:11 0 d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-27 21:25:59 0 d-------- C:\Program Files\LimeWire
2008-04-18 09:01:17 0 d-------- C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 11:55:26 0 d-------- C:\Program Files\Java
2008-04-12 11:43:29 0 d-a------ C:\Program Files\Common Files
2008-04-11 20:29:44 0 d-------- C:\Documents and Settings\Dad\Application Data\VMware
2008-03-06 18:08:24 34 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.log
2008-03-06 18:08:19 47360 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-06 18:08:19 1144 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.inf
2008-03-06 18:08:19 7887 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/21/2005 05:42 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/05/2008 08:26 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [06/14/2005 09:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE




-- End of Deckard's System Scanner: finished at 2008-05-08 20:37:36 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 1023.48 MiB / 643.63 MiB
Pagefile Memory (total/avail): 2459.92 MiB / 2176.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 233.75 GiB total, 41.28 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L250S0 - 233.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 233.75 GiB - C:

\\.\PHYSICALDRIVE1 - IC USB Storage-CFC USB Device

\\.\PHYSICALDRIVE3 - IC USB Storage-MMC USB Device

\\.\PHYSICALDRIVE4 - IC USB Storage-MSC USB Device

\\.\PHYSICALDRIVE2 - IC USB Storage-SMC USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1150319508\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1150319508\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1156536906\\ee\\aolservicehost.exe"="C:\\Program Files\\Common Files\\AOL\\1156536906\\ee\\aolservicehost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"="C:\\Program Files\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"="C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe:*:Enabled:mvp2005"
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"="C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe:*:Enabled:mvp2005"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dad\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRANK-AMD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dad
LOGONSERVER=\\FRANK-AMD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\IsoBuster;C:\Program Files\Common Files\Autodesk Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
USERDOMAIN=FRANK-AMD
USERNAME=Dad
USERPROFILE=C:\Documents and Settings\Dad
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dad (admin)
Mom (new local, admin)
Lauren
Nicole
Danielle
LogMeInRemoteUser (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1Click DVD Copy Pro 3.1.3.3 --> "C:\Program Files\1Click DVD Copy Pro\unins000.exe"
3dsmax ancillary install --> MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATCsimulator2 by AEROSOFT Corporation --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ATCsimulator2\ST6UNST.LOG"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Multimedia Center 9.08 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6892122-8504-4530-8033-C9EF45A4D014} /l1033
AuthorScript Engine 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{752CA503-E29F-4610-A1A4-B21CDC58EF8D} /l1033
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BadCopy Pro --> C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
BitTornado 0.3.7 --> C:\Program Files\BitTornado\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ConvertXtoDVD 2.2.3.258g --> "C:\Program Files\ConvertXtoDVD\unins000.exe"
Curious George v1.0 --> "C:\Program Files\Namco\Curious George\uninstall.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8C48E464-EB9F-43B8-82C5-245EE6B196DF} /l1033 /x
EA SPORTS online 2005 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
FEAR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 -removeonly
ffdshow [rev 610] [2006-12-01] --> "C:\Program Files\ffdshow\unins000.exe"
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1120 --> "C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe"
Fraps --> "C:\Fraps\uninstall.exe"
GUIDE PLUS+™ for Windows® System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
Hamachi 1.0.2.2 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LimeWire PRO 4.16.0 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{06BBC7C8-42BD-4571-92AD-E50EE9963C41}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator 2004 A Century of Flight --> "C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Speech Recognition Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mscsrgpc.inf, Uninstall.NT
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MVP Baseball 2005 --> C:\Program Files\EA SPORTS\MVP Baseball 2005\EAUninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PE Builder 3.1.10a --> "c:\pebuilder3110a\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims2 University --> C:\WINDOWS\iun6002.exe "C:\Program Files\The Sims2 University\irunin.ini"
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 H&M® Fashion Stuff --> C:\Program Files\EA GAMES\The Sims 2 H&M® Fashion Stuff\EAUninstall.exe
The Sims™ Life Stories --> C:\Program Files\Electronic Arts\The Sims Life Stories\EAUninstall.exe
TitanTV Client components for ATI --> MsiExec.exe /I{0A04149A-F6CC-4E4E-BDC6-44D0E64916FC}
Total MLB 1.25 --> "C:\Program Files\EA Sports\MVP Baseball 2005\unins000.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless LAN Card --> C:\Program Files\InstallShield Installation Information\{643B36F3-BED0-4FBB-8184-57D1C060DBDA}\setup.exe deinst


-- Application Event Log -------------------------------------------------------

Event Record #/Type20705 / Error
Event Submitted/Written: 05/07/2008 10:55:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20692 / Error
Event Submitted/Written: 05/05/2008 08:32:34 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20685 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 00:06:38,156 FRANK-AMD [003044:000732] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2660) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type20684 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Event Record #/Type20683 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 00:06:38,062 FRANK-AMD [003044:000732] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(728) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type41406 / Warning
Event Submitted/Written: 05/08/2008 06:24:20 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type41394 / Error
Event Submitted/Written: 05/08/2008 06:08:45 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error:
%%2

Event Record #/Type41385 / Warning
Event Submitted/Written: 05/08/2008 06:03:50 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type41373 / Warning
Event Submitted/Written: 05/08/2008 05:39:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type41360 / Error
Event Submitted/Written: 05/08/2008 05:37:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-08 20:37:36 ------------
  • 0

Advertisements


#17
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
====STEP 1====
could you check your files and see if any of these exist
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe


if they do not, then could you delete the associated hijackthis entry, as shown below


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
<== only delete if the file is not present
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
<== only delete if the file is not present

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#18
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
here you go. thanks


Deckard's System Scanner v20071014.68
Run by Dad on 2008-05-09 21:38:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
120: 2008-05-10 01:38:26 UTC - RP300 - Deckard's System Scanner Restore Point
119: 2008-05-10 01:12:17 UTC - RP299 - System Checkpoint
118: 2008-05-09 00:36:52 UTC - RP298 - Deckard's System Scanner Restore Point
117: 2008-05-08 21:42:08 UTC - RP297 - ComboFix created restore point
116: 2008-05-08 02:33:54 UTC - RP296 - ComboFix created restore point


-- First Restore Point --
1: 2008-05-02 18:06:34 UTC - RP181 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Dad.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:29 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\desktop\dss.exe
C:\HIJACK~1\Dad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4627 bytes

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20060820-022332-844 O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
backup-20060820-094918-561 R3 - Default URLSearchHook is missing
backup-20060820-094918-632 O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
backup-20060820-094918-790 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-095056-456 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-100103-399 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-490 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060820-100103-544 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141128-196 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20060820-141128-801 O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20060820-141128-973 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20060820-141159-241 O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
backup-20061015-182815-996 O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
backup-20061230-163949-110 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-137 O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-199 O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll (file missing)
backup-20061230-163949-398 O4 - HKLM\..\Run: [once balm 64 title] C:\Documents and Settings\All Users\Application Data\Vga audio once balm\axisblah.exe
backup-20061230-163949-523 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-567 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061230-163949-614 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-163949-743 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-163949-815 O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
backup-20061230-163949-826 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-163949-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-163949-981 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-164023-727 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061230-170622-180 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-381 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-559 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-710 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170622-785 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170622-901 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170622-909 O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
backup-20061230-170711-149 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-332 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-170711-339 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-170711-409 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-839 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-170711-886 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-232 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-315 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-407 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061230-222635-450 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-628 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061230-222635-717 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061230-222635-916 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-023455-254 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-286 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-463 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-023455-474 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-023455-557 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-023455-649 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-256 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-441 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-032204-522 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-032204-544 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-032204-604 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-156 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-150340-424 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-150340-520 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-561 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-150340-622 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20061231-150340-781 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-150340-864 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-420 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-575 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-687 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-152645-784 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-152645-795 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-152645-878 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-152645-886 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
backup-20061231-152645-970 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-147 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-250 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
backup-20061231-161948-627 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-741 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20061231-161948-784 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20061231-161948-848 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
backup-20061231-161948-962 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
backup-20070119-102704-965 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20070129-181308-492 O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Dad\Local Settings\Application Data\hrcopul.dll",vuljcec
backup-20071026-002019-312 O4 - HKLM\..\Run: [close surf mail dupe] C:\Documents and Settings\All Users\Application Data\Tick Find Close Surf\DVD CAKE.exe
backup-20071026-002019-394 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20071026-002019-486 O4 - HKCU\..\Run: [help each] C:\DOCUME~1\Dad\APPLIC~1\4BLAHA~1\Does Way.exe
backup-20071209-173124-352 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071209-173124-384 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071209-173124-572 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-651 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20071209-173124-655 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
backup-20071209-173124-747 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
backup-20071215-120627-151 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20071215-120627-976 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080219-233558-628 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080219-233558-711 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080504-094051-779 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-094051-999 O4 - HKLM\..\Run: [fcc6b9cc] rundll32.exe "C:\WINDOWS\system32\koqslacq.dll",b
backup-20080504-095910-133 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
backup-20080504-095910-308 O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
backup-20080504-095910-779 O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
backup-20080504-095910-912 O23 - Service: MSN Auto-Update Util (MSNAuto-IT) - Unknown owner - C:\WINDOWS\system32\msnins.exe (file missing)
backup-20080504-095925-543 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-110434-856 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080504-160629-491 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
backup-20080504-160629-512 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\huqenhiu.dll",s
backup-20080506-191616-129 O4 - HKLM\..\Run: [fcc6b9cc] rundll32.exe "C:\WINDOWS\system32\sqkxoica.dll",b
backup-20080506-191616-140 O2 - BHO: (no name) - {0A141622-E951-46AB-B35B-1B184C044689} - C:\WINDOWS\system32\mlJCSkhE.dll (file missing)
backup-20080506-191616-219 O20 - Winlogon Notify: iiffFyVL - iiffFyVL.dll (file missing)
backup-20080506-191616-223 O2 - BHO: {9374b6de-2c57-839b-ec44-81039f605410} - {014506f9-3018-44ce-b938-75c2ed6b4739} - C:\WINDOWS\system32\jljdopnn.dll (file missing)
backup-20080506-191616-315 O2 - BHO: (no name) - {BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} - C:\WINDOWS\system32\iiffFyVL.dll (file missing)
backup-20080506-191616-920 O2 - BHO: (no name) - {654EDA56-A28C-4882-AAE8-6510FE4D7F82} - C:\WINDOWS\system32\ljJDUklL.dll (file missing)
backup-20080506-191616-952 O4 - HKLM\..\Run: [BMfff58a50] Rundll32.exe "C:\WINDOWS\system32\fkujnmri.dll",s

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 ezplay (VSO Software ezplay) - c:\windows\system32\drivers\ezplay.sys <Not Verified; VSO Software; ezplay driver>
S3 RT2500 (RT2500 Wireless Driver) - c:\windows\system32\drivers\rt2500.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless PCI Adapters>
S3 Usblink (Usblink Driver) - c:\windows\system32\drivers\ulink.sys <Not Verified; ; USB SUPERLINK ADAPTER>
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys <Not Verified; VMware, Inc.; VMware virtual network adapter driver (32-bit)>
S3 Wdm1 (USB Bridge Cable Driver) - c:\windows\system32\drivers\usbbc.sys <Not Verified; ; PC-Linq Bridge Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" (file missing)
S2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Wireless LAN Card
Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_923016EF&REV_01\4&13699180&0&3848
Manufacturer: Ralink Technology, Inc.
Name: Wireless LAN Card
PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_923016EF&REV_01\4&13699180&0&3848
Service: RT2500


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 06:35:00 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-05-09 02:12:00 336 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Professional.job


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-07 19:58:11 0 d-------- C:\cmdcons
2008-05-07 19:57:25 68096 --a------ C:\WINDOWS\zip.exe
2008-05-07 19:57:25 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-07 19:57:25 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-07 19:57:25 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-07 19:57:25 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-07 19:57:25 98816 --a------ C:\WINDOWS\sed.exe
2008-05-07 19:57:25 80412 --a------ C:\WINDOWS\grep.exe
2008-05-07 19:57:25 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 21:12:26 0 d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 19:07:58 0 d-------- C:\bfu
2008-05-05 20:36:09 0 d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:26:57 0 d-------- C:\Program Files\AVG
2008-05-05 20:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 16:20:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:20:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 09:38:15 0 d-------- C:\Program Files\Lavasoft
2008-05-03 09:38:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 18:20:55 0 dr-h----- C:\Documents and Settings\Dad\Recent
2008-04-12 11:30:15 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-10 18:46:43 0 d-------- C:\Documents and Settings\Lauren\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-09 00:04:39 0 d-------- C:\Program Files\LogMeIn
2008-05-08 22:05:36 0 d-------- C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-04 09:13:12 0 d-------- C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 09:37:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 17:52:07 0 d-------- C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-27 22:03:11 0 d-------- C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-27 21:25:59 0 d-------- C:\Program Files\LimeWire
2008-04-18 09:01:17 0 d-------- C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 11:55:26 0 d-------- C:\Program Files\Java
2008-04-12 11:43:29 0 d-a------ C:\Program Files\Common Files
2008-04-11 20:29:44 0 d-------- C:\Documents and Settings\Dad\Application Data\VMware
2008-03-06 18:08:24 34 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.log
2008-03-06 18:08:19 47360 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-06 18:08:19 1144 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.inf
2008-03-06 18:08:19 7887 --a------ C:\Documents and Settings\Dad\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/21/2005 05:42 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/05/2008 08:26 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [06/14/2005 09:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C.tmp]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIPCMAE]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE




-- End of Deckard's System Scanner: finished at 2008-05-09 21:39:02 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1023.48 MiB / 551.19 MiB
Pagefile Memory (total/avail): 2459.92 MiB / 2095.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 233.75 GiB total, 41.22 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L250S0 - 233.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 233.75 GiB - C:

\\.\PHYSICALDRIVE1 - IC USB Storage-CFC USB Device

\\.\PHYSICALDRIVE3 - IC USB Storage-MMC USB Device

\\.\PHYSICALDRIVE4 - IC USB Storage-MSC USB Device

\\.\PHYSICALDRIVE2 - IC USB Storage-SMC USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1150319508\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1150319508\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1156536906\\ee\\aolservicehost.exe"="C:\\Program Files\\Common Files\\AOL\\1156536906\\ee\\aolservicehost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"="C:\\Program Files\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"="C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe:*:Enabled:mvp2005"
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"="C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe:*:Enabled:mvp2005"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dad\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRANK-AMD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dad
LOGONSERVER=\\FRANK-AMD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\IsoBuster;C:\Program Files\Common Files\Autodesk Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
USERDOMAIN=FRANK-AMD
USERNAME=Dad
USERPROFILE=C:\Documents and Settings\Dad
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dad (admin)
Mom (new local, admin)
Lauren
Nicole
Danielle
LogMeInRemoteUser (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1Click DVD Copy Pro 3.1.3.3 --> "C:\Program Files\1Click DVD Copy Pro\unins000.exe"
3dsmax ancillary install --> MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATCsimulator2 by AEROSOFT Corporation --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ATCsimulator2\ST6UNST.LOG"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Multimedia Center 9.08 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6892122-8504-4530-8033-C9EF45A4D014} /l1033
AuthorScript Engine 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{752CA503-E29F-4610-A1A4-B21CDC58EF8D} /l1033
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BadCopy Pro --> C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
BitTornado 0.3.7 --> C:\Program Files\BitTornado\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ConvertXtoDVD 2.2.3.258g --> "C:\Program Files\ConvertXtoDVD\unins000.exe"
Curious George v1.0 --> "C:\Program Files\Namco\Curious George\uninstall.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Doom 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8C48E464-EB9F-43B8-82C5-245EE6B196DF} /l1033 /x
EA SPORTS online 2005 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
FEAR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 -removeonly
ffdshow [rev 610] [2006-12-01] --> "C:\Program Files\ffdshow\unins000.exe"
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1120 --> "C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe"
Fraps --> "C:\Fraps\uninstall.exe"
GUIDE PLUS+™ for Windows® System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
Hamachi 1.0.2.2 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LimeWire PRO 4.16.0 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{06BBC7C8-42BD-4571-92AD-E50EE9963C41}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator 2004 A Century of Flight --> "C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Speech Recognition Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mscsrgpc.inf, Uninstall.NT
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MVP Baseball 2005 --> C:\Program Files\EA SPORTS\MVP Baseball 2005\EAUninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PE Builder 3.1.10a --> "c:\pebuilder3110a\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims2 University --> C:\WINDOWS\iun6002.exe "C:\Program Files\The Sims2 University\irunin.ini"
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 H&M® Fashion Stuff --> C:\Program Files\EA GAMES\The Sims 2 H&M® Fashion Stuff\EAUninstall.exe
The Sims™ Life Stories --> C:\Program Files\Electronic Arts\The Sims Life Stories\EAUninstall.exe
TitanTV Client components for ATI --> MsiExec.exe /I{0A04149A-F6CC-4E4E-BDC6-44D0E64916FC}
Total MLB 1.25 --> "C:\Program Files\EA Sports\MVP Baseball 2005\unins000.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless LAN Card --> C:\Program Files\InstallShield Installation Information\{643B36F3-BED0-4FBB-8184-57D1C060DBDA}\setup.exe deinst


-- Application Event Log -------------------------------------------------------

Event Record #/Type20705 / Error
Event Submitted/Written: 05/07/2008 10:55:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20692 / Error
Event Submitted/Written: 05/05/2008 08:32:34 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20685 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 00:06:38,156 FRANK-AMD [003044:000732] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2660) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type20684 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Event Record #/Type20683 / Error
Event Submitted/Written: 05/05/2008 08:06:38 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-06 00:06:38,062 FRANK-AMD [003044:000732] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(728) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type41416 / Warning
Event Submitted/Written: 05/09/2008 09:37:41 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type41414 / Warning
Event Submitted/Written: 05/09/2008 01:12:26 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type41412 / Warning
Event Submitted/Written: 05/08/2008 10:05:43 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{B29F8D9F-9CE8-4C43-92C1-9720C6D3D6D7}.

Event Record #/Type41409 / Warning
Event Submitted/Written: 05/08/2008 08:42:03 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type41406 / Warning
Event Submitted/Written: 05/08/2008 06:24:20 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-05-09 21:39:02 ------------
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm.....something did not go quite right there. could you redo my instructions in my prior post and then post the combofix log and a new hijackthis log (you ran and posted a DSS log instead, and i dont think you tackled those hijackthis entries?).

andrewuk
  • 0

#20
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
sorry about that. here you go

ComboFix 08-05-01.3 - Dad 2008-05-10 12:01:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.662 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-07 19:57 . 2008-05-07 19:57 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 21:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 21:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:07 . 2008-05-06 21:07 <DIR> d-------- C:\Program Files\ERUNT
2008-05-06 19:07 . 2008-05-06 19:08 <DIR> d-------- C:\bfu
2008-05-05 20:36 . 2008-05-07 19:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-05 20:27 . 2008-05-05 20:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-05 20:27 . 2008-05-05 20:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-05 20:27 . 2008-05-05 20:27 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Program Files\AVG
2008-05-05 20:26 . 2008-05-05 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-04 20:02 . 2008-05-04 20:02 <DIR> d-------- C:\Deckard
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 16:20 . 2008-05-04 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 16:08 . 2008-05-04 16:08 <DIR> d-------- C:\_OTMoveIt
2008-05-03 09:38 . 2008-05-03 09:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-03 09:38 . 2008-05-03 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 15:33 . 2008-05-02 15:33 95 --a------ C:\WINDOWS\wininit.ini
2008-05-02 14:03 . 2008-05-02 14:03 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG
2008-04-12 11:30 . 2008-04-12 11:30 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 04:02 --------- d-----w C:\Program Files\LogMeIn
2008-05-10 01:57 --------- d-----w C:\Documents and Settings\Dad\Application Data\ATI MMC
2008-05-10 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-05-04 13:13 --------- d-----w C:\Documents and Settings\Dad\Application Data\Vso
2008-05-03 13:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 20:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 21:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-04-28 02:03 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2008-04-28 01:25 --------- d-----w C:\Program Files\LimeWire
2008-04-18 13:01 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-04-12 15:55 --------- d-----w C:\Program Files\Java
2008-04-12 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-04-12 15:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-12 00:29 --------- d-----w C:\Documents and Settings\Dad\Application Data\VMware
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 22:08 47,360 ----a-w C:\Documents and Settings\Dad\Application Data\pcouffin.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-08 00:14 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-10-31 21:35 94,208 ----a-w C:\Documents and Settings\Dad\Application Data\ezplay.sys
.

((((((((((((((((((((((((((((( [email protected]_21.18.43.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 00:01:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-10 15:40:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-06-14 21:50 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 17:42 7311360]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-05 20:26 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2005-06-14 21:49 53248 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"C:\\Program Files\\EA SPORTS\\Total Classics 1978\\mvp2005.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-05 20:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-05 20:26]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinysxx.sys [2005-01-25 21:36]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;C:\WINDOWS\system32\DRIVERS\atinyvxx.sys [2005-01-25 21:36]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;C:\WINDOWS\system32\DRIVERS\atinyuxx.sys [2005-01-25 21:37]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;C:\WINDOWS\system32\Drivers\ATIUTD.sys [2005-01-25 22:37]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 14:00]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;C:\WINDOWS\system32\DRIVERS\atinyttx.sys [2005-01-25 21:33]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 10:28]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-07 21:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 06:12:00 C:\WINDOWS\Tasks\Ad-Aware SE Professional.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2008-05-09 10:35:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 12:02:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-10 12:03:31
ComboFix-quarantined-files.txt 2008-05-10 16:03:29
ComboFix2.txt 2008-05-08 21:44:47
ComboFix3.txt 2008-05-08 02:35:11
ComboFix4.txt 2008-05-08 01:18:55

Pre-Run: 44,228,083,712 bytes free
Post-Run: 44,219,142,144 bytes free

140 --- E O F --- 2008-04-12 07:02:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:50 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4575 bytes
  • 0

#21
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, last thing i can think of before we wrap this up is to get rid of the remnants of norton on your system.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



then go HERE and choose the product that is/was installed and then download the removal tool.
Run it and reboot.
This should get rid of Norton.


and then could you just post a new hijackthis log and tell me how your machine is running now

andrewuk
  • 0

#22
brute force

brute force

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
here you are. machine seems to be runing better.

what spyware program should i use. what are your thoughts?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:51 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\My Documents\Norton_Removal_Tool.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\WZSE0.TMP\SymNRT.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 4954 bytes
  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi brute force

congratulations, your logs are clean and another fix is in the can :)

what spyware program should i use. what are your thoughts?

coming to that now

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
you can also remove any other fix tools we used



====STEP 2====
resetting your restore points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405



====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#24
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP