Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help! Pops wont go away! [RESOLVED]

Started by FutureWoWplayer , May 09 2008 09:48 AM

This topic is locked

#1
FutureWoWplayer

Posted 09 May 2008 - 09:48 AM

Member

Member
153 posts

Hello all, first let me say I love this website. It has helped me through so many problems that I would never have been able to figure out. Now time to get down to the nittle gritty. For the last few days my computer has been really bogged down. Its running really slow, and pops are appearing left and right. I followed all the steps before coming to post my hijackthis log. And the problem still hasn't been fixed. Also another thing that Ive had trouble with is that, some programs in my Add/Remove programs list wont remove. They either freeze during the installation process, or they say that something else is being installed and this program can't be uninstalled and the moment. Well here's hoping you guys can help, I know you can you always do. Thank you again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:17 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network

Monitor\WUSB54Gv42.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PhilipsDM] C:\Program Files\Philips\Philips Device

Manager\Bin\DeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Christopher

Wilson.N-IJ3WI4B7CPVTQ\Application

Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"

--force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program

Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program

Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program

Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace....ploader1006.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) -

http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation

Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4)

- http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -

http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour

Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link -

C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G

USB Wireless Network Monitor\WLService.exe

--
End of file - 7594 bytes

#2
Rorschach112

Posted 13 May 2008 - 06:17 AM

Ralphie

Retired Staff
47,710 posts

Hello

Open notepad, click Format, uncheck wordwrap

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
FutureWoWplayer

Posted 14 May 2008 - 09:00 PM

Member

Topic Starter
Member
153 posts

So 11 hours later, the online scan actually finished. I never thought a virus scan could take that long. But as it was scanning it did find like 13 viruses. So here is the text file from that scan. I'll post the DSS main.txt and extra.txt in a follow up post.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 14, 2008 6:57:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 772548
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 144064
Number of viruses found: 13
Number of infected objects: 30
Number of suspicious objects: 12
Duration of the scan process: 11:14:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip/9313984temp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS1.zip/125026.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS10.zip/125026.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS5.zip/9313984temp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS6.zip/125026.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS9.zip/9313984temp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.20812 Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.40078 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48448 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.49277 Infected: Trojan-Spy.Win32.VB.agy skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.57014 Infected: P2P-Worm.Win32.VB.dw skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-2afc8601-7e58f099.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-2afc8601-7e58f099.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4941f397-3200acbf.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4941f397-3200acbf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-38627359.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-38627359.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-4159b1cc.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-4159b1cc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-5e0f2cca.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-5e0f2cca.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-197d240f.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-197d240f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-14-2008( 6-52-15 ).LOG Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Temp\JET90F8.tmp Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\download\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\download\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\download\mirc62.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\bay area mix.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP590\A0670159.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671669.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671673.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671674.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671675.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671676.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP599\A0671677.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP623\A0673863.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP624\A0673873.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP625\A0673912.dll Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP625\A0673936.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP625\A0673942.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP625\A0673943.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP626\A0673957.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP626\A0673958.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP626\A0673985.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP626\A0673991.dll Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP627\A0673998.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP627\A0674004.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP627\A0674005.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP627\A0674020.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP627\A0674027.exe Object is locked skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP629\A0674069.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP629\A0674069.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP629\A0674069.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP629\A0674069.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP629\A0674069.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{D2CEEE68-99EA-4803-9673-F90E7123E9BC}\RP634\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{41D3BDD4-4865-414F-B6E1-EA63E1BA6DCC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\diskk.sys Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan-Clicker.Win32.Qhost.f skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\kdojk.ren Infected: Trojan.Win32.DNSChanger.apn skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#4
FutureWoWplayer

Posted 14 May 2008 - 09:15 PM

Member

Topic Starter
Member
153 posts

Here is the DSS txt files that you wanted as well. Ive seperated the main.txt and extra.txt by ----

Deckard's System Scanner v20071014.68
Run by Christopher Wilson on 2008-05-14 19:04:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
52: 2008-05-15 02:04:38 UTC - RP635 - Deckard's System Scanner Restore Point
51: 2008-05-14 10:03:37 UTC - RP634 - Software Distribution Service 3.0
50: 2008-05-13 18:00:29 UTC - RP633 - System Checkpoint
49: 2008-05-12 17:14:43 UTC - RP632 - System Checkpoint
48: 2008-05-11 05:28:29 UTC - RP631 - System Checkpoint

-- First Restore Point --
1: 2008-05-08 09:15:09 UTC - RP584 - Removed HP Software Update

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Christopher Wilson.exe) ----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:12 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Christopher Wilson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PhilipsDM] C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7628 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver2.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver2.exe","%1"
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 diskk - c:\windows\system32\drivers\diskk.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 sf (SFI Service) - c:\windows\system32\drivers\sf.sys <Not Verified; Sonic Focus, Inc; Sonic Focus DSP service driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
S3 MidiSyn - c:\windows\system32\drivers\midisyn.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 07:10:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-13 06:35:23 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-13 06:35:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-09 08:44:29 0 d-------- C:\Program Files\Trend Micro
2008-05-08 15:22:47 0 d--h----- C:\$AVG8.VAULT$
2008-05-08 14:38:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-08 14:38:13 0 d-------- C:\Program Files\AVG
2008-05-08 14:38:12 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-08 08:37:13 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 02:39:20 0 d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes
2008-05-08 02:39:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-08 02:39:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 02:19:56 44544 -----n--- C:\WINDOWS\system32\geBuRLcY.dll
2008-05-08 02:09:48 0 d-------- C:\Program Files\SwitchBlade
2008-05-08 02:09:41 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-08 02:07:19 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Mozilla
2008-05-07 23:41:58 0 d--hs---- C:\WINDOWS\Q2hyaXN0b3BoZXIgV2lsc29u
2008-05-07 23:41:52 86144 --a------ C:\WINDOWS\system32\drivers\diskk.sys
2008-05-07 23:41:46 0 d-------- C:\WINDOWS\system32\vdTMP
2008-05-07 23:41:46 0 d-------- C:\WINDOWS\system32\hNF
2008-05-07 23:41:46 0 d-------- C:\WINDOWS\system32\2033b
2008-05-07 23:41:40 0 d-------- C:\WINDOWS\system32\bkEur18
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\tracert.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\tasklist.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\taskkill.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\regedit.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\ping.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\netstat.com
2008-05-07 23:41:38 0 ---hs---- C:\WINDOWS\system32\cmd.com
2008-05-07 23:41:38 0 d--hs---- C:\Program Files\outlook
2008-05-07 23:41:35 44544 -----n--- C:\WINDOWS\system32\xxyvusrO.dll

-- Find3M Report ---------------------------------------------------------------

2008-05-08 19:46:08 0 d-------- C:\Program Files\AIM6
2008-05-08 08:37:13 0 d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\SUPERAntiSpyware.com
2008-05-08 08:36:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 02:38:42 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-23 05:37:28 0 d-------- C:\Program Files\World of Warcraft
2008-04-18 18:30:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-16 05:20:40 0 d-------- C:\Program Files\LimeWire
2008-04-06 15:48:29 0 d-------- C:\Program Files\MySpace
2008-04-02 13:57:56 0 d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GRETECH
2008-04-02 13:57:31 0 d-------- C:\Program Files\GRETECH

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 01:07 AM]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 01:07 AM]
"P17Helper"="P17.dll" [05/03/2005 07:38 PM C:\WINDOWS\system32\P17.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [11/07/2006 03:41 PM]
"outlook"="C:\Program Files\outlook\outlook.exe" []
"dbar_starter"="C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/08/2008 02:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/08/2008 12:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
PKZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [1/26/2008 12:11:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 05/08/2008 12:57 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\536P3EV]
ine20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K0pFROZsg]
ifml400.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
C:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsFY]
c:\wp.exe

-- End of Deckard's System Scanner: finished at 2008-05-14 19:10:28 ------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

(Here is the extra.txt file)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 766.73 MiB / 439.97 MiB
Pagefile Memory (total/avail): 1467.38 MiB / 1081.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.27 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 127.99 GiB total, 45.39 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160023A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntivirusOverride is set.
FirewallOverride is set.

AV: AVG Anti-Virus v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Disabled:Blizzard Downloader"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Disabled:ventrilo_srv"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=N-IJ3WI4B7CPVTQ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ
LOGONSERVER=\\N-IJ3WI4B7CPVTQ
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHRIST~1.N-I\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHRIST~1.N-I\LOCALS~1\Temp
USERDOMAIN=N-IJ3WI4B7CPVTQ
USERNAME=Christopher Wilson
USERPROFILE=C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Christopher Wilson.N-IJ3WI4B7CPVTQ (admin)
Administrator.N-IJ3WI4B7CPVTQ (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{2A539CD9-0F75-4875-9A32-E06DD93C4114}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Setup --> MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fable - The Lost Chapters --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}
GCalc 3 --> C:\WINDOWS\system32\javaws.exe -uninstall "http://gcalc.net/jar/gcalc3.jnlp"
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Local Settings\Temporary Internet Files\Content.IE5\I0SWPTQB\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone Express --> MsiExec.exe /X{8F7A4D82-B168-4F89-99C2-B9873EC877AF}
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Linksys Wireless-G USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 7 Demo --> MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033}
Nero Recode CE --> C:\WINDOWS\UNRecode.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA WDM Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\Setup.exe"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PKZIP for Windows 9.00.0010 --> MsiExec.exe /I{BE8DD809-A406-40E2-AB9F-28E69E737383}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninst
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
StuffIt Standard Edition 7.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41915CC3-BD28-43C3-9C94-1A7548DEF582}\Setup.exe" -l0x9
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SwitchBlade --> MsiExec.exe /X{D3C2E593-289F-4F6F-A87A-70F5D04D3FD9}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Videora iPod Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

-- Application Event Log -------------------------------------------------------

Event Record #/Type3532 / Error
Event Submitted/Written: 05/11/2008 11:22:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3505 / Error
Event Submitted/Written: 05/09/2008 10:25:35 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3498 / Error
Event Submitted/Written: 05/08/2008 11:24:59 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mim.exe, version 10.0.4.40, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [mim.exe!ws!]

Event Record #/Type3482 / Error
Event Submitted/Written: 05/08/2008 03:53:33 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mim.exe, version 10.0.4.40, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [mim.exe!ws!]

Event Record #/Type3476 / Error
Event Submitted/Written: 05/08/2008 02:05:43 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type44637 / Error
Event Submitted/Written: 05/14/2008 07:09:29 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type44636 / Warning
Event Submitted/Written: 05/14/2008 04:55:53 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type44615 / Error
Event Submitted/Written: 05/14/2008 03:17:08 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ASCTRM service failed to start due to the following error:
%%2

Event Record #/Type44606 / Warning
Event Submitted/Written: 05/14/2008 02:58:55 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type44604 / Warning
Event Submitted/Written: 05/13/2008 01:22:23 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2008-05-14 19:10:28 ------------

Let Me know if there is anything else I need to scan or download for you guys. I will be off work so my postings should come a lot faster, and the scans shouldn't take so long. Thanks again for all the help

Edited by FutureWoWplayer, 14 May 2008 - 09:17 PM.

#5
Rorschach112

Posted 15 May 2008 - 07:21 AM

Ralphie

Retired Staff
47,710 posts

Hello

You need to delete these files

C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\01 Track 1.wma
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\bay area mix.mp3
C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\My Documents\My Music\New [bleep]\Eighties classic.wma

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
[kill explorer]
C:\WINDOWS\system32\drivers\etc\hosts.bak
C:\WINDOWS\TEMP\kdojk.ren 
purity 
[start explorer]
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#6
FutureWoWplayer

Posted 15 May 2008 - 02:01 PM

Member

Topic Starter
Member
153 posts

Here is the first log you requested. It didnt take any time at all, in fact I dont think it actually did anything. It made the taskbar disappear for a hot second but that was it. Here it is:

Explorer killed successfully
C:\WINDOWS\system32\drivers\etc\hosts.bak moved successfully.
File/Folder C:\WINDOWS\TEMP\kdojk.ren not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05152008_125345

----------------

Also I deleted the three files that you requested I delete.

#7
Rorschach112

Posted 15 May 2008 - 03:19 PM

Ralphie

Retired Staff
47,710 posts

Ok good

Run ComboFix now

#8
FutureWoWplayer

Posted 16 May 2008 - 08:16 AM

Member

Topic Starter
Member
153 posts

So I installed combofix and did everthing that the instructions said to do to install the Windows XP Recovery Console. Well My computer rebooted, and it said please wait while combofix generates a report. It also said not to activate any programs in the process. So I left my computer on while I went to work, hoping that it would generate the report by the time I got home. 8 hours later it still hadn't. So I left my computer on through the night, and when I woke up this morning still no report had been generated. So I just closed the window. What should I do to get a ComboFix report for you?

#9
Rorschach112

Posted 16 May 2008 - 09:36 AM

Ralphie

Retired Staff
47,710 posts

Have a look in C:\ComboFix for it

#10
FutureWoWplayer

Posted 16 May 2008 - 04:30 PM

Member

Topic Starter
Member
153 posts

Okay I found it thanks. So here it is. Sorry for the delay.

________________________________________________________________________________
__

ComboFix 08-05-12.1 - Christopher Wilson 2008-05-15 13:22:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.426 [GMT -7:00]
Running from: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\diskk.sys
C:\WINDOWS\system32\geBuRLcY.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\xxyvusrO.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISKK
-------\Service_diskk

((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-15 12:53 . 2008-05-15 12:53 <DIR> d-------- C:\_OTMoveIt
2008-05-14 19:03 . 2008-05-14 19:03 <DIR> d-------- C:\Deckard
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-09 08:44 . 2008-05-09 08:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 15:22 . 2008-05-08 16:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-08 14:38 . 2008-05-15 16:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Program Files\AVG
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-08 14:38 . 2008-05-08 14:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-08 14:38 . 2008-05-08 14:38 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-08 08:37 . 2008-05-08 12:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 02:39 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SwitchBlade
2008-05-07 23:57 . 2008-05-08 06:44 6,967 --ahs---- C:\WINDOWS\system32\xwHiSvut.ini
2008-05-07 23:41 . 2008-05-08 06:43 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-07 23:41 . 2008-05-09 00:07 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-07 23:41 . 2008-05-09 00:07 <DIR> d-------- C:\WINDOWS\system32\bkEur18
2008-05-07 23:41 . 2008-05-08 11:59 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-07 23:41 . 2008-05-08 11:59 <DIR> d--hs---- C:\WINDOWS\Q2hyaXN0b3BoZXIgV2lsc29u
2008-05-07 23:41 . 2008-05-07 23:41 <DIR> d-------- C:\Temp\maxsv15
2008-04-18 18:30 . 2006-12-24 23:00 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-18 18:30 . 2006-12-24 23:00 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 11:03 --------- d-----w C:\Program Files\World of Warcraft
2008-05-09 02:46 --------- d-----w C:\Program Files\AIM6
2008-05-08 15:37 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\SUPERAntiSpyware.com
2008-05-08 15:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 09:38 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-19 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 12:20 --------- d-----w C:\Program Files\LimeWire
2008-04-06 22:48 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-04-02 20:57 --------- d-----w C:\Program Files\GRETECH
2008-04-02 20:57 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GRETECH
2007-04-20 21:06 17,920 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GDIPFONTCACHEV1.DAT
2007-04-02 20:02 167 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\4170.bat
2005-05-09 10:33 56 --sh--r C:\WINDOWS\system32\5C60AE4C15.sys
2005-05-09 10:33 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
________________________________________________________________________________
_

Just so you know im learning alot and I really appreciate it. Im looking forward to the next step in this process.

#11
Rorschach112

Posted 18 May 2008 - 11:27 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\xwHiSvut.ini

Folder::
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\bkEur18
C:\WINDOWS\system32\2033b
C:\WINDOWS\Q2hyaXN0b3BoZXIgV2lsc29u
C:\Temp\maxsv15

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HijackThis log

#12
FutureWoWplayer

Posted 19 May 2008 - 09:57 PM

Member

Topic Starter
Member
153 posts

Here is the first scan of my computer that you requeted. It will be followed by my new Hijackthis Log. Thanks again for all the help. I look forward to the follow up post. Its a great learning experience.

ComboFix 08-05-12.1 - Christopher Wilson 2008-05-19 10:24:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -7:00]
Running from: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\xwHiSvut.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\WINDOWS\Q2hyaXN0b3BoZXIgV2lsc29u
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\bkEur18
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\vdTMP
C:\WINDOWS\system32\xwHiSvut.ini
.
---- Previous Run -------
.
C:\Program Files\outlook
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\diskk.sys
C:\WINDOWS\system32\geBuRLcY.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\xxyvusrO.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISKK
-------\Service_diskk

((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-15 12:53 . 2008-05-15 12:53 <DIR> d-------- C:\_OTMoveIt
2008-05-14 19:03 . 2008-05-14 19:03 <DIR> d-------- C:\Deckard
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-09 08:44 . 2008-05-09 08:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 15:22 . 2008-05-08 16:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-08 14:38 . 2008-05-19 04:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Program Files\AVG
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-08 14:38 . 2008-05-08 14:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-08 14:38 . 2008-05-08 14:38 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-08 08:37 . 2008-05-08 12:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 02:39 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SwitchBlade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 11:03 --------- d-----w C:\Program Files\World of Warcraft
2008-05-09 02:46 --------- d-----w C:\Program Files\AIM6
2008-05-08 15:37 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\SUPERAntiSpyware.com
2008-05-08 15:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 09:38 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-19 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 12:20 --------- d-----w C:\Program Files\LimeWire
2008-04-06 22:48 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-04-02 20:57 --------- d-----w C:\Program Files\GRETECH
2008-04-02 20:57 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GRETECH
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-04-20 21:06 17,920 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GDIPFONTCACHEV1.DAT
2007-04-02 20:02 167 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\4170.bat
2005-05-09 10:33 56 --sh--r C:\WINDOWS\system32\5C60AE4C15.sys
2005-05-09 10:33 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 860,160 2004-09-23 20:41:54 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4.exe

----a-w 1,388,544 2004-10-14 17:11:10 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 94,208 2005-10-28 23:25:44 C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 49,152 2004-09-13 22:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 256,576 2006-10-30 17:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-12-11 20:10:26 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 11,776 2005-05-10 23:04:50 C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe
----a-w 8,192 2006-11-07 22:41:44 C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe

----a-w 155,648 2001-07-09 17:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-08 12:57 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-11-07 15:41 8192]
"dbar_starter"="C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-08 14:38 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
PKZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [2008-01-26 12:11:56 169552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-08 12:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\536P3EV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 00:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 00:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K0pFROZsg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
C:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 04:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsFY]
c:\wp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-08 14:38]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-08 14:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-08 14:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-08 14:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-08 14:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 14:10:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 10:30:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-19 10:32:43
ComboFix-quarantined-files.txt 2008-05-19 17:32:14

Pre-Run: 50,144,591,872 bytes free
Post-Run: 50,263,629,824 bytes free

233 --- E O F --- 2008-05-17 02:51:46

#13
FutureWoWplayer

Posted 19 May 2008 - 10:00 PM

Member

Topic Starter
Member
153 posts

Here is the new Hijackthis Log that you requested as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:42 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PhilipsDM] C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7473 bytes

#14
Rorschach112

Posted 20 May 2008 - 08:25 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\wp.exe

AWF::
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe
C:\WINDOWS\system32\bak\NeroCheck.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\536P3EV]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K0pFROZsg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsFY]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#15
FutureWoWplayer

Posted 20 May 2008 - 11:49 AM

Member

Topic Starter
Member
153 posts

Here is the new log you requested. I'll follow this post with another hijackthis log:

ComboFix 08-05-12.1 - Christopher Wilson 2008-05-20 10:19:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.497 [GMT -7:00]
Running from: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\wp.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-15 12:53 . 2008-05-15 12:53 <DIR> d-------- C:\_OTMoveIt
2008-05-14 19:03 . 2008-05-14 19:03 <DIR> d-------- C:\Deckard
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 06:35 . 2008-05-13 06:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-09 08:44 . 2008-05-09 08:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 15:22 . 2008-05-08 16:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-08 14:38 . 2008-05-20 09:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Program Files\AVG
2008-05-08 14:38 . 2008-05-08 14:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-08 14:38 . 2008-05-08 14:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-08 14:38 . 2008-05-08 14:38 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-08 14:38 . 2008-05-08 14:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-08 08:37 . 2008-05-08 12:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-08 02:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-08 02:39 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 02:39 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-08 02:09 . 2008-05-08 02:09 <DIR> d-------- C:\Program Files\SwitchBlade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 17:31 --------- d-----w C:\Program Files\iTunes
2008-05-15 11:03 --------- d-----w C:\Program Files\World of Warcraft
2008-05-09 02:46 --------- d-----w C:\Program Files\AIM6
2008-05-08 15:37 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\SUPERAntiSpyware.com
2008-05-08 15:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 09:38 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-19 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 12:20 --------- d-----w C:\Program Files\LimeWire
2008-04-06 22:48 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-04-02 20:57 --------- d-----w C:\Program Files\GRETECH
2008-04-02 20:57 --------- d-----w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GRETECH
2007-04-20 21:06 17,920 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\GDIPFONTCACHEV1.DAT
2007-04-02 20:02 167 ----a-w C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\4170.bat
2005-05-09 10:33 56 --sh--r C:\WINDOWS\system32\5C60AE4C15.sys
2005-05-09 10:33 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_10.31.37.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 09:13:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 17:26:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-09 17:50:42 155,648 ----a-w C:\WINDOWS\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-08 12:57 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-05-10 16:04 11776]
"dbar_starter"="C:\Documents and Settings\Christopher Wilson.N-IJ3WI4B7CPVTQ\Application Data\Deskbar_{4FD1B5A4-2C17-4f29-9951-82D5F1D4A8F6}\starter.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-08 14:38 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 13:32 8699904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
PKZIP Attachments Status.lnk - C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [2008-01-26 12:11:56 169552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-08 12:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 00:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-04-07 00:19 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-05-10 16:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
C:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 13:41 860160 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 10:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 04:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-08 14:38]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-08 14:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-08 14:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-08 14:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-08 14:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 14:10:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 10:32:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2008-05-20 10:41:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 17:40:51
ComboFix2.txt 2008-05-19 17:32:44

Pre-Run: 50,251,821,056 bytes free
Post-Run: 50,240,827,392 bytes free

201 --- E O F --- 2008-05-17 02:51:46