Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TR.Crypt.KPM & various others [RESOLVED]


  • This topic is locked This topic is locked

#16
tylerc

tylerc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
VUNDO:

VundoFix V7.0.3

Scan started at 10:10:39 AM 5/19/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqNGVpm.dll
C:\WINDOWS\system32\ssqNGVpm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqNGVpm.dll
C:\WINDOWS\system32\ssqNGVpm.dll Could not be deleted.

Performing Repairs to the registry.
Done!


As you can see, I tried a few times to delete ssqNGVpm.dll to no avail.

-------------------

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:47 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Charley\Desktop\HijackThis.exe

O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Charley\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4688 bytes
  • 0

Advertisements


#17
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hi

Please re-open HiJackThis and choose Do a system scan only.
Check the boxes next to ONLY the entries listed below,"if still present":

O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
Then close all windows except HijackThis and click on Posted Image button.



Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
C:\WINDOWS\SYSTEM32\ssqNGVpm.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#18
tylerc

tylerc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
AVENGER.TXT

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue May 20 09:30:15 2008

//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

---------------------------------------------------

MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Charley on 2008-05-20 09:34:13
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
15: 2008-05-14 17:42:22 UTC - RP371 - Avira AntiVir Personal - 5/14/2008 12:42
14: 2008-05-13 18:26:20 UTC - RP370 - System Checkpoint
13: 2008-05-12 17:26:21 UTC - RP369 - System Checkpoint
12: 2008-05-11 17:20:16 UTC - RP368 - Last known good configuration
11: 2008-05-11 17:20:13 UTC - RP367 - System Checkpoint


-- First Restore Point --
1: 2008-05-11 17:20:12 UTC - RP357 - Installed Java™ 6 Update 5


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 10.16 GiB (less than 15%) free.


-- HijackThis (run as Charley.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:29 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Charley\Desktop\dss.exe
C:\DOCUME~1\Charley\Desktop\Charley.exe

O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Charley\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4737 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Charley\Desktop\backups\) -------------

backup-20080516-105553-206 O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
backup-20080516-105553-217 O4 - HKLM\..\Run: [BMe797d3c7] Rundll32.exe "C:\WINDOWS\system32\wektjiwp.dll",s
backup-20080516-105553-295 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080516-105553-392 O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
backup-20080516-105553-486 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
backup-20080516-105553-931 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080516-105553-996 O4 - HKLM\..\Run: [e4a4e05b] rundll32.exe "C:\WINDOWS\system32\vxqddgqi.dll",b
backup-20080517-104656-287 O2 - BHO: (no name) - {528FC610-B6C4-4EC1-A97B-A50F5DE41462} - C:\WINDOWS\system32\qoMeFvtt.dll
backup-20080517-104656-610 O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
backup-20080517-104656-628 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
backup-20080517-104656-830 O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
backup-20080519-105451-238 O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
backup-20080519-105451-321 O2 - BHO: {d0f72e89-d5c3-ddc8-f684-dfd1601f6be6} - {6eb6f106-1dfd-486f-8cdd-3c5d98e27f0d} - C:\WINDOWS\system32\vptlmbhq.dll
backup-20080519-105451-413 O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
backup-20080520-092925-639 O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
backup-20080520-092925-922 O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S1 ip6fww - c:\windows\system32\drivers\ip6fww.sys
S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
S3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
S3 gdrv - c:\windows\gdrv.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 ossrv (Creative OS Services Driver) - c:\windows\system32\drivers\ctoss2k.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-20 09:30:28 135168 --a------ C:\zip.exe
2008-05-20 09:30:28 19286 --a------ C:\cleanup.exe
2008-05-20 09:30:28 574 --a------ C:\cleanup.bat
2008-05-19 10:10:39 0 d-------- C:\VundoFix Backups
2008-05-16 13:32:11 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 13:32:11 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 13:32:11 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 13:32:11 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 13:32:11 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 13:32:11 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 13:32:11 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 13:32:11 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 13:32:11 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 13:32:11 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 13:32:11 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 13:32:11 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 13:32:11 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-16 13:32:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-14 14:38:44 1208980 --ahs---- C:\WINDOWS\system32\ttvFeMoq.ini2
2008-05-14 12:42:43 0 d-------- C:\Program Files\Avira
2008-05-14 12:42:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 11:36:43 0 d-------- C:\Autoruns
2008-05-11 12:25:21 15360 --a------ C:\WINDOWS\voiceip.dll
2008-05-11 12:25:21 11776 --a------ C:\WINDOWS\swin32.dll
2008-05-11 12:25:21 14592 --a------ C:\WINDOWS\stcloader.exe
2008-05-11 12:25:21 24832 --a------ C:\WINDOWS\cdsm32.dll
2008-05-11 12:25:20 21504 --a------ C:\WINDOWS\mssvr.exe
2008-05-11 12:25:20 8448 --a------ C:\WINDOWS\mspphe.dll
2008-05-11 12:25:20 8960 --a------ C:\WINDOWS\bokja.exe
2008-05-11 12:25:20 12288 --a------ C:\WINDOWS\bjam.dll
2008-05-11 12:25:20 31744 --a------ C:\WINDOWS\2020search2.dll
2008-05-11 12:25:20 24576 --a------ C:\WINDOWS\2020search.dll
2008-05-11 12:25:15 22528 --a------ C:\WINDOWS\saiemod.dll
2008-05-11 12:25:14 32000 --a------ C:\WINDOWS\msapasrc.dll
2008-05-11 12:25:14 13568 --a------ C:\WINDOWS\msa64chk.dll
2008-05-11 12:25:13 25600 --a------ C:\WINDOWS\shdocpl.dll
2008-05-11 12:25:13 29952 --a------ C:\WINDOWS\shdocpe.dll
2008-05-11 12:25:13 11264 --a------ C:\WINDOWS\ntnut.exe
2008-05-11 12:25:12 19200 --a------ C:\WINDOWS\winsb.dll
2008-05-11 12:25:12 11264 --a------ C:\WINDOWS\browserad.dll
2008-05-11 12:25:12 20736 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-11 12:25:12 30208 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-11 12:25:11 30464 --a------ C:\WINDOWS\avifile32.dll
2008-05-11 12:25:11 22272 --a------ C:\WINDOWS\autodisc32.dll
2008-05-11 12:25:11 26368 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-11 12:25:10 25088 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-11 12:25:10 23296 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-11 12:25:10 14848 --a------ C:\WINDOWS\athprxy32.dll
2008-05-11 12:25:10 30720 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-11 12:25:09 14848 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-11 12:25:09 27648 --a------ C:\WINDOWS\asferror32.dll
2008-05-11 12:25:09 31488 --a------ C:\WINDOWS\apphelp32.dll
2008-05-11 12:20:02 8982 --ahs---- C:\WINDOWS\system32\MoXENqru.ini2
2008-05-11 12:17:22 0 d-------- C:\WINDOWS\system32\spoolX
2008-05-11 12:17:22 86144 --a------ C:\WINDOWS\system32\drivers\ip6fww.sys
2008-05-11 12:17:09 0 d-------- C:\WINDOWS\system32\winRem
2008-05-11 12:17:09 0 d-------- C:\WINDOWS\system32\MUI2
2008-05-11 12:16:16 0 d-------- C:\WINDOWS\system32\1036a
2008-05-11 12:16:14 0 d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 12:16:14 0 d-------- C:\Temp
2008-05-11 12:15:51 0 d-------- C:\Program Files\Common Files\s?stem32
2008-05-11 12:15:12 0 d-------- C:\Documents and Settings\Charley\Application Data\??curity
2008-05-11 12:14:54 25728 -----n--- C:\WINDOWS\system32\ssqNGVpm.dll
2008-05-11 12:14:52 0 d-------- C:\Program Files\QdrDrive
2008-05-11 12:14:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-11 12:14:22 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 12:14:20 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-09 12:10:10 229514 --a------ C:\WINDOWS\system32\000080.exe
2008-05-03 11:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-04-21 17:21:33 0 d-------- C:\Program Files\FriendBlasterPro


-- Find3M Report ---------------------------------------------------------------

2008-05-17 10:44:45 0 d-------- C:\Documents and Settings\Charley\Application Data\Viewpoint
2008-05-11 12:33:09 0 d-------- C:\Program Files\Common Files
2008-05-11 12:21:25 0 d-------- C:\Documents and Settings\Charley\Application Data\Azureus
2008-05-11 12:15:51 0 d-------- C:\Program Files\Common Files\s?stem32
2008-05-11 12:15:12 0 d-------- C:\Documents and Settings\Charley\Application Data\??curity
2008-05-09 00:47:02 86896 --a------ C:\Documents and Settings\Charley\Application Data\GDIPFONTCACHEV1.DAT
2008-05-01 02:34:28 0 d-------- C:\Program Files\Soulseek
2008-04-29 11:56:59 0 d-------- C:\Program Files\Java
2008-04-27 22:29:22 0 d-------- C:\Documents and Settings\Charley\Application Data\Adobe
2008-04-19 15:18:28 0 d-------- C:\Program Files\Azureus
2008-04-12 12:39:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-10 20:36:16 0 d-------- C:\Program Files\NaturalSoft
2008-03-25 23:26:56 0 d-------- C:\Program Files\exPressit S.E. 2.2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/11/2008 12:14 PM 25728 --------- C:\WINDOWS\system32\ssqNGVpm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 AM C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [07/12/2006 04:58 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 12:12 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [04/12/2006 04:15 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [11/21/2006 12:38 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/21/2006 03:56 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 AM C:\WINDOWS\Alcmtr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 05:50 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 10:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"DeltTray"="DeltTray.exe" [12/06/2002 11:19 AM C:\WINDOWS\system32\delttray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 11:15 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"VundoFix"="C:\Documents and Settings\Charley\Desktop\vundofix.exe"
"Cleanup"=C:\cleanup.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/8/2007 11:55:59 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoFolderOptions"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\ssqNGVpm.dll [05/11/2008 12:14 PM 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 01/31/2005 03:13 PM 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNGVpm]
ssqNGVpm.dll 05/11/2008 12:14 PM 25728 C:\WINDOWS\system32\ssqNGVpm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqNEXoM


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6ac491-931b-11db-9d64-806d6172696f}]
AutoRun\command- D:\Run.exe




-- End of Deckard's System Scanner: finished at 2008-05-20 09:36:58 ------------

-------------------------------------------------------

EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 13%
Physical Memory (total/avail): 2046.42 MiB / 1764.62 MiB
Pagefile Memory (total/avail): 3942.34 MiB / 3857.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.17 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.09 GiB total, 10.16 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SATA WD C WD3200 SCSI Disk Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH)
AV: avast! antivirus 4.8.1169 [VPS 080514-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Soulseek\\slsk.exe"="F:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:aim6"
"F:\\Program Files\\Azureus\\Azureus.exe"="F:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Charley\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTEROFDOOM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Charley
LOGONSERVER=\\COMPUTEROFDOOM
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Charley\LOCALS~1\Temp
TMP=C:\DOCUME~1\Charley\LOCALS~1\Temp
USERDOMAIN=COMPUTEROFDOOM
USERNAME=Charley
USERPROFILE=C:\Documents and Settings\Charley
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Charley (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ableton Live v5.0.3 --> C:\PROGRA~1\Ableton\LIVE50~1.3\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE50~1.3\INSTALL.LOG
Acronis Disk Director Suite --> MsiExec.exe /X{2300EE96-0A41-4FAB-BD03-989EC44577A0}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Ahead Nero - Burning Rom --> C:\WINDOWS\UNNERO.exe /UNINSTALL
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Alcohol Toolbar --> "C:\WINDOWS\Alcohol_Toolbar_Uninstaller_7484.exe" _?=C:\Program Files\Alcohol Toolbar
Antares Autotune DX v4.12 --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\AUTOTU~1\ANTARE~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\AUTOTU~1\ANTARE~1\INSTALL.LOG
Antares Tube v1.0 --> C:\PROGRA~1\Antares\TUBEUN~1\UNWISE.EXE C:\PROGRA~1\Antares\TUBEUN~1\INSTALL.LOG
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EB8BF0E1-640D-44C6-A8F2-5DD7054074F1}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Avery DesignPro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\setup.exe" -l0x9 -uninst
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BassStation --> MsiExec.exe /I{18D03DE2-D142-4A6C-B346-2FA7C8D76A57}
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
DesktopX --> C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\INSTALL.LOG
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Edirol HQ Orchestral v1.01 --> C:\PROGRA~1\Edirol\ORCHES~1\UNWISE.EXE C:\PROGRA~1\Edirol\ORCHES~1\INSTALL.LOG
Edirol SuperQuartet v1.5 --> C:\PROGRA~1\Edirol\SUPERQ~1\UNWISE.EXE C:\PROGRA~1\Edirol\SUPERQ~1\INSTALL.LOG
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
exPressit S.E. 2.2 --> "C:\Program Files\exPressit S.E. 2.2\UninstallerData\Uninstall exPressit S.E. 2.2.exe"
FL Studio 5 --> C:\Program Files\Image-Line\FLStudio5\uninstall.exe
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Free Natural Text to Speech Reader 2007 --> MsiExec.exe /I{3E5DA526-F420-45A6-9F27-D2B5246D6823}
Gigabyte Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
GMedia Music impOSCar VSTi v1.0.0.1 --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\UNINST~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\UNINST~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Documents and Settings\Charley\Desktop\HijackThis.exe" /uninstall
hp officejet v series --> MsiExec.exe /X{48FCCE4F-9D37-41BA-92C1-17BF5CFAA347}
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JetShell PRO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1826E565-D493-4B93-9031-D3667B340E80}\setup.exe" -l0x9
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
Live 6.0.10 --> C:\PROGRA~1\Ableton\LIVE60~1.10\Install\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE60~1.10\Install\INSTALL.LOG
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
N.I Pro-53 v3.0-OxYGeN --> C:\PROGRA~1\Pro-53\UNWISE.EXE C:\PROGRA~1\Pro-53\INSTALL.LOG
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\Massive\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Massive\INSTALL.LOG
Nero 7 Premium --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Nomad Factory Blue Tubes Bundle v2.0 --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\NOMADF~1\BLUETU~1\NOMADF~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\NOMADF~1\BLUETU~1\NOMADF~1\INSTALL.LOG
Ohm Force OhmBoyz VST2 v1.03 PRO --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\OHMFOR~1\OHMBOY~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\OHMFOR~1\OHMBOY~1\OhmBoyzVST2_103.log
Online Community Suite 2.0 --> C:\Program Files\oCommunitySuite-2.0\uninstall.exe
Palm --> MsiExec.exe /X{A005B38F-D5AB-4E35-93DD-9886E449FAF1}
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
RingCare Desktop 1.1.6 --> "C:\Program Files\RingCare Desktop\unins000.exe"
River Past Audio Converter Pro --> C:\WINDOWS\Audio Converter Pro Uninstaller.exe
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
Sony Sound Forge 8.0 --> MsiExec.exe /X{767572FD-4D01-4FA3-B0A6-4B09FB2CFC37}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Space Station --> "C:\Program Files\Space Station\unins000.exe"
Synth1 --> "C:\Program Files\Synth1\setup.exe" /u
TBL BassLine v1.3 VSTi --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\TBLBAS~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\TBLBAS~1\INSTALL.LOG
V-Station --> C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\UNWISE.EXE C:\PROGRA~1\IMAGE-~1\FLSTUD~1\Plugins\VST\VSTPLU~1\INSTALL.LOG
Vanguard Demo 1.2 --> "C:\Program Files\Vanguard\unins000.exe"
VAZ 2001 v1.01 --> C:\PROGRA~1\VAZ200~1\UNWISE.EXE C:\PROGRA~1\VAZ200~1\INSTALL.LOG
Waves Gold Processors 3.5 --> C:\PROGRA~1\Waves\WAVES3~1\UNWISE.EXE C:\PROGRA~1\Waves\WAVES3~1\INSTALL.LOG
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
winvi (remove only) --> "C:\Program Files\winvi\uninst.exe"
X5 User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21CB7553-5A17-441E-B208-29690EB99F66}\setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type9057 / Error
Event Submitted/Written: 05/20/2008 09:36:35 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type9056 / Error
Event Submitted/Written: 05/20/2008 09:36:35 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type9054 / Error
Event Submitted/Written: 05/19/2008 11:06:43 AM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type9052 / Error
Event Submitted/Written: 05/19/2008 11:01:24 AM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type9050 / Error
Event Submitted/Written: 05/19/2008 10:57:38 AM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18349 / Error
Event Submitted/Written: 05/20/2008 09:33:12 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswSP
aswTdi
avgio
avipbb
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
ssmdrv
Tcpip

Event Record #/Type18348 / Error
Event Submitted/Written: 05/20/2008 09:33:12 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type18347 / Error
Event Submitted/Written: 05/20/2008 09:33:12 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type18346 / Error
Event Submitted/Written: 05/20/2008 09:33:12 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Event Record #/Type18345 / Error
Event Submitted/Written: 05/20/2008 09:33:12 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-20 09:36:58 ------------


----------------------------------------------------

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:44 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\Documents and Settings\Charley\Desktop\HijackThis.exe

O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ssqNGVpm.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Charley\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O20 - Winlogon Notify: ssqNGVpm - C:\WINDOWS\SYSTEM32\ssqNGVpm.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4771 bytes
  • 0

#19
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hi, your computer its badly infected :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2


Reboot your computer on into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

Lets run the Combofix:
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll


  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
  • 0

#20
tylerc

tylerc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ssqNGVpm.dll is finally gone, hopefully that means we've made some progress :)


COMBOFIX.TXT:

ComboFix 08-05-20.1 - Charley 2008-05-20 17:14:32.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1757 [GMT -5:00]
Running from: C:\Documents and Settings\Charley\desktop\ComboFix.exe
Command switches used :: /KillAll

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Charley\Application Data\CURITY~1
C:\Documents and Settings\Charley\Application Data\CURITY~1\??curity\
C:\Documents and Settings\Charley\Application Data\CURITY~1\cmd.exe
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\sstem3~1\s?anregw.exe
C:\Program Files\QdrDrive
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\drivers\ip6fww.sys
C:\WINDOWS\system32\iqgddqxv.ini
C:\WINDOWS\system32\MoXENqru.ini
C:\WINDOWS\system32\MoXENqru.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\ssqNGVpm.dll
C:\WINDOWS\system32\ttvFeMoq.ini
C:\WINDOWS\system32\ttvFeMoq.ini2
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IP6FWW
-------\Service_ip6fww


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 09:33 . 2008-05-20 09:33 <DIR> d-------- C:\Deckard
2008-05-20 09:30 . 2008-05-20 09:30 135,168 --a------ C:\zip.exe
2008-05-20 09:30 . 2008-05-20 09:30 19,286 --a------ C:\cleanup.exe
2008-05-20 09:30 . 2008-05-20 09:30 574 --a------ C:\cleanup.bat
2008-05-19 10:10 . 2008-05-19 10:10 <DIR> d-------- C:\VundoFix Backups
2008-05-16 13:32 . 2008-05-16 13:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-16 13:16 . 2008-05-16 13:16 <DIR> d-------- C:\_OTMoveIt
2008-05-14 14:39 . 2008-05-14 16:28 109,816 --a------ C:\WINDOWS\BMe797d3c7.xml
2008-05-14 12:42 . 2008-05-14 12:42 <DIR> d-------- C:\Program Files\Avira
2008-05-14 12:42 . 2008-05-14 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 11:36 . 2008-05-14 11:36 <DIR> d-------- C:\Autoruns
2008-05-11 12:17 . 2008-05-11 12:17 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 12:17 . 2008-05-11 12:17 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 12:17 . 2008-05-11 12:17 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 12:17 . 2008-05-11 12:17 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-11 12:16 . 2008-05-11 12:16 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 12:16 . 2008-05-11 12:17 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 12:16 . 2008-05-11 12:16 <DIR> d-------- C:\Temp\tmpvc14
2008-05-11 12:16 . 2008-05-20 17:15 <DIR> d-------- C:\Temp
2008-05-11 12:16 . 2008-05-11 12:16 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-09 17:48 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-09 17:48 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-21 17:21 . 2008-05-11 12:16 <DIR> d-------- C:\Program Files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 15:44 --------- d-----w C:\Documents and Settings\Charley\Application Data\Viewpoint
2008-05-11 17:21 --------- d-----w C:\Documents and Settings\Charley\Application Data\Azureus
2008-05-09 05:47 86,896 ----a-w C:\Documents and Settings\Charley\Application Data\GDIPFONTCACHEV1.DAT
2008-05-01 07:34 --------- d-----w C:\Program Files\Soulseek
2008-04-29 16:56 --------- d-----w C:\Program Files\Java
2008-04-19 20:18 --------- d-----w C:\Program Files\Azureus
2008-04-12 17:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 01:36 --------- d-----w C:\Program Files\NaturalSoft
2008-03-26 04:26 --------- d-----w C:\Program Files\exPressit S.E. 2.2
2004-08-04 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 05:04 2879488 C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 04:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12 90112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 16:15 1261475]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38 35328]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 03:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"DeltTray"="DeltTray.exe" [2002-12-06 11:19 56320 C:\WINDOWS\system32\delttray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Cleanup"="C:\cleanup.exe" [2008-05-20 09:30 19286]
"GrpConv"="grpconv -o" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 23:55:59 113664]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"= 00000000
"NoActiveDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64781:TCP"= 64781:TCP:Azureus
"64781:UDP"= 64781:UDP:Azureus

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2006-12-29 12:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6ac491-931b-11db-9d64-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 17:20:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\stardock\SDMCP.exe
.
**************************************************************************
.
Completion time: 2008-05-20 17:31:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 22:31:09

Pre-Run: 10,860,314,624 bytes free
Post-Run: 10,820,083,712 bytes free

202 --- E O F --- 2008-04-18 18:38:32


-------------------------------------------------------------

HIJACKTHIS.TXT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32, on 2008-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Charley\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4723 bytes
  • 0

#21
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hi tylerc,

Much better! :)


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and
you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Temp\dUbc1002.exe
Folder::
C:\WINDOWS\system32\winRem
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\1036a
C:\Temp\tmpvc14
C:\Documents and Settings\Charley\Application Data\Viewpoint
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6ac491-931b-11db-9d64-806d6172696f}]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#22
tylerc

tylerc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
COMBOFIX:

ComboFix 08-05-20.1 - Charley 2008-05-21 7:39:46.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1727 [GMT -5:00]
Running from: C:\Documents and Settings\Charley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charley\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Temp\dUbc1002.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Charley\Application Data\Viewpoint
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1018872981.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-26751412.mtz
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\416055122.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1860458717.mts
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1054459834.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1743403442.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1991437604.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-33400662.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1850579979.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\2089844584.swf
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Charley\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Temp\dUbc1002.exe
C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\WINDOWS\system32\1036a
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\dFrnx06\dFrnx061083.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\MUI2\GI-dot4c.exe
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe
C:\WINDOWS\system32\winRem

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 09:33 . 2008-05-20 09:33 <DIR> d-------- C:\Deckard
2008-05-19 10:10 . 2008-05-19 10:10 <DIR> d-------- C:\VundoFix Backups
2008-05-16 13:32 . 2008-05-16 13:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-16 13:16 . 2008-05-16 13:16 <DIR> d-------- C:\_OTMoveIt
2008-05-14 14:39 . 2008-05-14 16:28 109,816 --a------ C:\WINDOWS\BMe797d3c7.xml
2008-05-14 12:42 . 2008-05-14 12:42 <DIR> d-------- C:\Program Files\Avira
2008-05-14 12:42 . 2008-05-14 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 11:36 . 2008-05-14 11:36 <DIR> d-------- C:\Autoruns
2008-05-11 12:16 . 2008-05-21 07:39 <DIR> d-------- C:\Temp
2008-05-09 17:48 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-09 17:48 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-21 17:21 . 2008-05-11 12:16 <DIR> d-------- C:\Program Files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 17:21 --------- d-----w C:\Documents and Settings\Charley\Application Data\Azureus
2008-05-09 05:47 86,896 ----a-w C:\Documents and Settings\Charley\Application Data\GDIPFONTCACHEV1.DAT
2008-05-01 07:34 --------- d-----w C:\Program Files\Soulseek
2008-04-29 16:56 --------- d-----w C:\Program Files\Java
2008-04-19 20:18 --------- d-----w C:\Program Files\Azureus
2008-04-12 17:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 01:36 --------- d-----w C:\Program Files\NaturalSoft
2008-03-26 04:26 --------- d-----w C:\Program Files\exPressit S.E. 2.2
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2004-08-04 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 05:04 2879488 C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 04:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12 90112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 16:15 1261475]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38 35328]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 03:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"DeltTray"="DeltTray.exe" [2002-12-06 11:19 56320 C:\WINDOWS\system32\delttray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 23:55:59 113664]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"= 00000000
"NoActiveDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64781:TCP"= 64781:TCP:Azureus
"64781:UDP"= 64781:UDP:Azureus

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2006-12-29 12:30]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 07:40:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 7:41:11
ComboFix-quarantined-files.txt 2008-05-21 12:41:07
ComboFix2.txt 2008-05-20 22:31:12

Pre-Run: 10,832,556,032 bytes free
Post-Run: 10,816,229,376 bytes free

147 --- E O F --- 2008-04-18 18:38:32

-------------------------------------------------------------------------------

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:48, on 2008-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Charley\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4738 bytes
  • 0

#23
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Good job, yours logs are clean :)

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Glad i was able to help and please let me know if you still need assistence.Posted Image
  • 0

#24
tylerc

tylerc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Excellent, thanks so much. I really appreciate the help :)


I won't be able to enjoy it until I get this hardware error sorted tho. Any idea who I should talk to or where I should go to get it figured out??
  • 0

#25
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts

Excellent, thanks so much. I really appreciate the help :)

I won't be able to enjoy it until I get this hardware error sorted tho. Any idea who I should talk to or where I should go to get it figured out??

You'r welcome.

Please look for help on [rul=http://www.geekstogo.com/forum/Windows-Vista-f79.html]Windows Vista™ [/url] forum. Im sure there are excelent guys who can help you :)
  • 0

Advertisements


#26
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP