Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer Running Slow


  • Please log in to reply

#1
suddsy

suddsy

    Member

  • Member
  • PipPip
  • 12 posts
I have run adware and removed a number of spyware programs but problems are still occuring. Please find the hijackthis log below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:52 PM, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {67306587-84F9-4D52-8D36-1BA169233BE0} - C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {db7fb798-41f0-ee09-da84-14b9d8fd46ca} - {ac64df8d-9b41-48ad-90ee-0f14897bf7bd} - C:\WINDOWS\system32\iobysjeo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [800eeeff] rundll32.exe "C:\WINDOWS\system32\pyablxhw.dll",b
O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\lfonvixr.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements


#2
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy, and welcome to Geeks to Go! . I'm currently reading over your log right now and I'll do my best to try to get your system clean. :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.
  • 0

#3
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

If you have any questions please feel free to ask. :)

STEP 1
Please click start>control panel>add/remove programs. And remove the following program.(if present)
Netcom3 Cleaner

Please reopen HijackThis and click on Do a system scan only.And put a check next to the following entries.

O2 - BHO: (no name) - {67306587-84F9-4D52-8D36-1BA169233BE0} -
C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: {db7fb798-41f0-ee09-da84-14b9d8fd46ca} - {ac64df8d-9b41-48ad-90ee-0f14897bf7bd} -
C:\WINDOWS\system32\iobysjeo.dll
O4 - HKLM\..\Run: [800eeeff] rundll32.exe "C:\WINDOWS\system32\pyablxhw.dll",b
O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\lfonvixr.dll",s
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

Once you have the checks in those entries please make sure all open windows are closed(keep HijackThis open) and click fix checked on HijackThis.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\rqRKDvsS.dll
    C:\WINDOWS\system32\iobysjeo.dll
    C:\WINDOWS\system32\pyablxhw.dll
    C:\WINDOWS\system32\lfonvixr.dll
    C:\Program Files\Netcom3 Cleaner
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 2
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: Netcom3
  • Click "ok", then reboot

STEP 3
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#4
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\rqRKDvsS.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRKDvsS.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iobysjeo.dll
C:\WINDOWS\system32\iobysjeo.dll NOT unregistered.
C:\WINDOWS\system32\iobysjeo.dll moved successfully.
File/Folder C:\WINDOWS\system32\pyablxhw.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lfonvixr.dll
C:\WINDOWS\system32\lfonvixr.dll NOT unregistered.
C:\WINDOWS\system32\lfonvixr.dll moved successfully.
C:\Program Files\Netcom3 Cleaner\Logs moved successfully.
C:\Program Files\Netcom3 Cleaner\Backup moved successfully.
C:\Program Files\Netcom3 Cleaner moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05162008_105808

DSS Scanner log

main.txt
Deckard's System Scanner v20071014.68
Run by Pat on 2008-05-16 11:21:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Pat.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:23 AM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Pat\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EDC21C19-54AA-449D-84B7-5AE713762FC1} - C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9058 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-15 23:24:09 94208 --a------ C:\WINDOWS\system32\chlytdum.dll
2008-05-15 23:22:25 116224 --a------ C:\WINDOWS\system32\vdvmehpd.dll
2008-05-15 23:22:17 108544 --a------ C:\WINDOWS\system32\gbrblwbh.dll
2008-05-15 23:21:08 819113 --ahs---- C:\WINDOWS\system32\SsvDKRqr.ini2
2008-05-15 20:54:20 116224 --a------ C:\WINDOWS\system32\tuiwftpq.dll
2008-05-15 20:45:20 108544 --a------ C:\WINDOWS\system32\darwxmlb.dll
2008-05-15 16:27:26 0 dr-h----- C:\Documents and Settings\Pat\Recent
2008-05-13 23:10:05 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-05-13 22:08:24 0 d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:52:41 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2008-05-13 21:52:41 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2008-05-13 21:25:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 20:12:36 115712 --a------ C:\WINDOWS\system32\bvnoerjp.dll
2008-05-13 19:07:58 0 d-------- C:\Program Files\Trend Micro
2008-05-13 19:03:58 115712 --a------ C:\WINDOWS\system32\xubvnxjd.dll
2008-05-13 16:50:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-13 16:50:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-13 16:50:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-13 16:50:59 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-13 16:50:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-13 16:50:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-13 16:50:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-13 11:43:46 0 d-------- C:\VundoFix Backups
2008-05-12 21:41:56 116736 --a------ C:\WINDOWS\system32\aphjdono.dll
2008-05-12 09:36:21 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2008-05-07 13:13:09 0 d-------- C:\Program Files\Avanquest update
2008-05-07 13:12:55 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12:45 0 d-------- C:\Program Files\WinASPI
2008-05-07 13:12:10 11776 --a------ C:\WINDOWS\system32\LinkDLL.dll <Not Verified; Copyright DVDToMobile INC; LinkDll>
2008-05-07 13:12:10 32256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:11:56 0 d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11:55 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:25:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25:10 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:25:10 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25:05 0 d-------- C:\Program Files\iolo
2008-05-03 13:24:04 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22:35 0 d-------- C:\Program Files\Lavasoft
2008-04-21 16:22:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14:20 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-16 03:11:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-15 16:54:42 0 d-------- C:\Program Files\Symantec
2008-05-15 16:29:10 0 d-------- C:\Program Files\LimeWire
2008-05-15 16:27:37 0 d-------- C:\Documents and Settings\Pat\Application Data\LimeWire
2008-05-14 21:48:37 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 22:08:50 0 d-------- C:\Program Files\Common Files
2008-05-13 21:52:41 0 d-------- C:\Program Files\Yahoo!
2008-05-13 19:18:58 0 d-------- C:\Program Files\Google
2008-05-08 15:46:18 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-07 13:13:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 16:59:03 0 d-------- C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 10:31:30 0 d-------- C:\Program Files\Microsoft Works
2008-04-21 16:22:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:27:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-20 00:14:41 0 d-------- C:\Program Files\iTunes
2008-04-20 00:12:35 0 d-------- C:\Program Files\QuickTime
2008-04-20 00:06:11 0 d-------- C:\Program Files\Safari
2008-04-17 14:41:13 0 d-------- C:\Documents and Settings\Pat\Application Data\Adobe
2008-04-05 13:05:50 0 d-------- C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 11:20:41 0 d-------- C:\Program Files\QuickTax 2007
2008-03-26 22:44:55 0 d-------- C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-26 22:44:22 0 d-------- C:\Program Files\Video Card Stability Test
2008-03-24 23:27:26 0 d-------- C:\Program Files\Java
2008-03-20 03:00:45 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-18 21:44:06 0 d-------- C:\Program Files\Windows Live
2008-03-18 21:42:39 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDC21C19-54AA-449D-84B7-5AE713762FC1}]
13/05/2008 08:17 PM 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [20/03/2003 03:05 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 04:40 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [26/10/2007 03:42 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [27/08/2003 02:20 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [16/07/2002 09:21 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [06/05/2008 04:36 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 01:59 AM]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [14/01/2007 03:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:00 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [15/09/2006 02:27 PM]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [26/09/2007 03:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKDvsS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-05-16 11:22:00 ------------

No extra.txt log was generated
  • 0

#5
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

STEP 1
We need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Now we will need to make a .reg file.To do this please open up your notepad and copy the text below(in the code box) and paste it in your notepad.Make sure REGEDIT4 is the first thing there(no spaces before it) and make sure there is a blank line at the end of the file.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EDC21C19-54AA-449D-84B7-5AE713762FC1}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this file as fix.reg.Make sure you have the file type as All Files.Save this to your desktop.Then double click it and click yes to merge with your registry.

STEP 2
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\chlytdum.dll
    C:\WINDOWS\system32\vdvmehpd.dll
    C:\WINDOWS\system32\gbrblwbh.dll
    C:\WINDOWS\system32\SsvDKRqr.ini2
    C:\WINDOWS\system32\tuiwftpq.dll
    C:\WINDOWS\system32\darwxmlb.dll
    C:\WINDOWS\system32\bvnoerjp.dll
    C:\WINDOWS\system32\xubvnxjd.dll
    C:\WINDOWS\system32\aphjdono.dll
    C:\WINDOWS\system32\rqRKDvsS.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I see that you have a P2P(Peer to Peer) program on your computer.While the program it self may be safe the files you get can be illegal and can also have malware in them also.I recommend you remove this program.(if you do not want to remove the P2P program please skip these red instructions)
Please click start>control panel>add/remove programs. And remove the following program(if present)Also remove any other P2P programs you may have.
LimeWire

Once you have done that please remove following folders(if present)
C:\Program Files\LimeWire
C:\Documents and Settings\Pat\Application Data\LimeWire


STEP 3
Please rescan with DSS
  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, please post back both logs that open in notepad: main.txt and extra.txt
~~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#6
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OTmoveit log

DllUnregisterServer procedure not found in C:\WINDOWS\system32\chlytdum.dll
C:\WINDOWS\system32\chlytdum.dll NOT unregistered.
C:\WINDOWS\system32\chlytdum.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vdvmehpd.dll
C:\WINDOWS\system32\vdvmehpd.dll NOT unregistered.
C:\WINDOWS\system32\vdvmehpd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gbrblwbh.dll
C:\WINDOWS\system32\gbrblwbh.dll NOT unregistered.
C:\WINDOWS\system32\gbrblwbh.dll moved successfully.
C:\WINDOWS\system32\SsvDKRqr.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuiwftpq.dll
C:\WINDOWS\system32\tuiwftpq.dll NOT unregistered.
C:\WINDOWS\system32\tuiwftpq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\darwxmlb.dll
C:\WINDOWS\system32\darwxmlb.dll NOT unregistered.
C:\WINDOWS\system32\darwxmlb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bvnoerjp.dll
C:\WINDOWS\system32\bvnoerjp.dll NOT unregistered.
C:\WINDOWS\system32\bvnoerjp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xubvnxjd.dll
C:\WINDOWS\system32\xubvnxjd.dll NOT unregistered.
C:\WINDOWS\system32\xubvnxjd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\aphjdono.dll
C:\WINDOWS\system32\aphjdono.dll NOT unregistered.
C:\WINDOWS\system32\aphjdono.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\rqRKDvsS.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRKDvsS.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05162008_204841

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\rqRKDvsS.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRKDvsS.dll scheduled to be moved on reboot.

main.txt

eckard's System Scanner v20071014.68
Run by Pat on 2008-05-16 20:54:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
14: 2008-05-17 00:54:55 UTC - RP14 - Deckard's System Scanner Restore Point
13: 2008-05-16 03:21:28 UTC - RP13 - Last known good configuration
12: 2008-05-16 03:21:23 UTC - RP12 - Software Distribution Service 3.0
11: 2008-05-16 03:21:23 UTC - RP11 - Removed WinZip 11.1
10: 2008-05-16 03:21:22 UTC - RP10 - System Checkpoint


-- First Restore Point --
1: 2008-05-16 03:21:19 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Pat.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:31 PM, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Pat\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {844D7E65-E5EE-4D2D-BD40-53984C045782} - C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9134 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-192121-182 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
backup-20080513-192122-226 O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinn...d/bejeweled.cab
backup-20080513-192122-230 O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload....Plugin11USA.cab
backup-20080513-192122-244 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
backup-20080513-194250-106 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194254-548 O20 - Winlogon Notify: iifGyWPJ - iifGyWPJ.dll (file missing)
backup-20080513-194422-186 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194622-959 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194857-678 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080513-194857-874 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194905-298 O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - (no file)
backup-20080516-104614-174 O2 - BHO: (no name) - {E3CEEADA-2EA3-48DA-B3FE-E046CAA6F6DF} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-104614-451 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-104614-465 O2 - BHO: {683c000b-3c78-a5eb-afd4-0430430552bf} - {fb255034-0340-4dfa-be5a-87c3b000c386} - C:\WINDOWS\system32\vdvmehpd.dll
backup-20080516-104614-553 O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\gbrblwbh.dll",s
backup-20080516-104614-948 O4 - HKLM\..\Run: [800eeeff] rundll32.exe "C:\WINDOWS\system32\chlytdum.dll",b
backup-20080516-105301-589 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-105301-951 O2 - BHO: (no name) - {3282B91F-376B-4602-9F16-A8119ECEEBAE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-105547-294 O2 - BHO: (no name) - {3282B91F-376B-4602-9F16-A8119ECEEBAE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-105547-589 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-110828-924 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regedit - DefaultIcon - unable to read value
.reg - regedit - shell\open\command - regedit.exe %1
.reg - regedit - shell\edit\command - unable to read value
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Ventrilo - c:\program files\ventsrv\ventrilo_svc.exe

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1868)
2008-05-13 20:17:58 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 07:10:30 572 --a------ C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Pat.job


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 20:50:53 829637 --ahs---- C:\WINDOWS\system32\SsvDKRqr.ini2
2008-05-16 20:03:57 76892498 --a------ C:\registrybackup.reg
2008-05-15 16:27:26 0 dr-h----- C:\Documents and Settings\Pat\Recent
2008-05-13 23:10:05 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-05-13 22:08:24 0 d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:52:41 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2008-05-13 21:52:41 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2008-05-13 21:25:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 19:07:58 0 d-------- C:\Program Files\Trend Micro
2008-05-13 16:50:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-13 16:50:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-13 16:50:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-13 16:50:59 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-13 16:50:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-13 16:50:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-13 16:50:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-13 11:43:46 0 d-------- C:\VundoFix Backups
2008-05-12 09:36:21 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2008-05-07 13:13:09 0 d-------- C:\Program Files\Avanquest update
2008-05-07 13:12:55 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12:45 0 d-------- C:\Program Files\WinASPI
2008-05-07 13:12:10 11776 --a------ C:\WINDOWS\system32\LinkDLL.dll <Not Verified; Copyright DVDToMobile INC; LinkDll>
2008-05-07 13:12:10 32256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:11:56 0 d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11:55 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:25:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25:10 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:25:10 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25:05 0 d-------- C:\Program Files\iolo
2008-05-03 13:24:04 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22:35 0 d-------- C:\Program Files\Lavasoft
2008-04-21 16:22:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14:20 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-16 20:33:40 0 d-------- C:\Documents and Settings\Pat\Application Data\LimeWire
2008-05-16 16:25:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-15 16:54:42 0 d-------- C:\Program Files\Symantec
2008-05-14 21:48:37 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 22:08:50 0 d-------- C:\Program Files\Common Files
2008-05-13 21:52:41 0 d-------- C:\Program Files\Yahoo!
2008-05-13 19:18:58 0 d-------- C:\Program Files\Google
2008-05-08 15:46:18 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-07 13:13:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 16:59:03 0 d-------- C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 10:31:30 0 d-------- C:\Program Files\Microsoft Works
2008-04-21 16:22:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:27:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-20 00:14:41 0 d-------- C:\Program Files\iTunes
2008-04-20 00:12:35 0 d-------- C:\Program Files\QuickTime
2008-04-20 00:06:11 0 d-------- C:\Program Files\Safari
2008-04-17 14:41:13 0 d-------- C:\Documents and Settings\Pat\Application Data\Adobe
2008-04-05 13:05:50 0 d-------- C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 11:20:41 0 d-------- C:\Program Files\QuickTax 2007
2008-03-26 22:44:55 0 d-------- C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-26 22:44:22 0 d-------- C:\Program Files\Video Card Stability Test
2008-03-24 23:27:26 0 d-------- C:\Program Files\Java
2008-03-20 03:00:45 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-18 21:44:06 0 d-------- C:\Program Files\Windows Live
2008-03-18 21:42:39 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{844D7E65-E5EE-4D2D-BD40-53984C045782}]
13/05/2008 08:17 PM 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [20/03/2003 03:05 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 04:40 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [26/10/2007 03:42 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [27/08/2003 02:20 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [16/07/2002 09:21 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [06/05/2008 04:36 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 01:59 AM]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [14/01/2007 03:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:00 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [15/09/2006 02:27 PM]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [26/09/2007 03:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKDvsS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-05-16 20:57:36 ------------

extra.txt file
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1022.73 MiB / 598.54 MiB
Pagefile Memory (total/avail): 2464.21 MiB / 2068.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.05 GiB total, 63.8 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160812A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.05 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Security Online v2007 (Symantec Corporation)
AV: Norton Security Online v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pat\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-E60F1FD86
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pat
LOGONSERVER=\\OWNER-E60F1FD86
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
USERDOMAIN=OWNER-E60F1FD86
USERNAME=Pat
USERPROFILE=C:\Documents and Settings\Pat
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Pat (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_2_0_30\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Age of Empires III -->
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Empires III - The WarChiefs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
Any Video Converter 1.0 --> "C:\Program Files\Any Video Converter\unins000.exe"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe" -l0x9 -removeonly
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compel Adaptec WinASPI --> "C:\Program Files\WinASPI\unins000.exe"
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DVD2Pod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A72D1D05-1145-4BDB-AC26-DA88AB4B7B65}\Setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HomeWorks --> MsiExec.exe /X{C698CB91-D535-46D0-851F-E6B6A9B6AE97}
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iolo technologies' System Mechanic 7 --> "C:\Program Files\iolo\System Mechanic 7\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LightScribe 1.4.44.1 -->
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2003 --> MsiExec.exe /I{03410014-3975-4267-9F39-1DC4745090B7}
Microsoft Money 2003 --> MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft Money 2003 System Pack --> MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe D:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
OpenOffice.org 2.3 --> MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
Print Workshop 2007 LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF023DA1-5B52-467E-857C-EAF1BC0604E0}\setup.exe" -l0x9
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTax 2007 --> MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Rogers Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
Video Card Stability Test --> C:\Program Files\Video Card Stability Test\uninstall.exe
WeatherEye --> "C:\Program Files\TheWeatherNetwork\WeatherEye\MMTWNLiveUpdate.exe" /language ENGLISH /uninstall HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WeatherEye,HKEY_CURRENT_USER\Software\MMTWN\WeatherEye
WebFldrs XP -->
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Works Suite OS Pack -->
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Yahoo! Toolbar -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type17394 / Error
Event Submitted/Written: 05/16/2008 08:02:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17277 / Success
Event Submitted/Written: 05/15/2008 03:51:02 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type17262 / Error
Event Submitted/Written: 05/15/2008 03:35:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17261 / Error
Event Submitted/Written: 05/15/2008 03:35:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17243 / Success
Event Submitted/Written: 05/15/2008 07:50:34 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19270 / Error
Event Submitted/Written: 05/15/2008 04:38:18 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type19269 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19266 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19263 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19260 / Error
Event Submitted/Written: 05/15/2008 04:30:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-16 20:57:36 ------------
  • 0

#7
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

STEP 1
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup2.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\rqRKDvsS.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{844D7E65-E5EE-4D2D-BD40-53984C045782}
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 2
Now we will need to make a .reg file.To do this please open up your notepad and copy the text below(in the code box) and paste it in your notepad.Make sure REGEDIT4 is the first thing there(no spaces before it) and make sure there is a blank line at the end of the file.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this file as fix2.reg.Make sure you have the file type as All Files.Save this to your desktop.Then double click it and click yes to merge with your registry.

STEP 3
Click on Start>Run. And then copy and paste the following in bold in the open window and then click OK.
"%userprofile%\desktop\dss.exe" /daft
Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

STEP 4
Please rescan with DSS
  • Click on Start, click on Run
  • Copy and paste the following in bold in the open window and then click OK
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All
  • Click Scan
  • DSS will now run again
  • When finished, please post back both logs that open in notepad: main.txt and extra.txt
~~~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#8
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Moveit log

Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\rqRKDvsS.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRKDvsS.dll scheduled to be moved on reboot.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{844D7E65-E5EE-4D2D-BD40-53984C045782} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{844D7E65-E5EE-4D2D-BD40-53984C045782}\\ not found.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05172008_111431

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\rqRKDvsS.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\rqRKDvsS.dll scheduled to be moved on reboot.

main.txt
Deckard's System Scanner v20071014.68
Run by Pat on 2008-05-17 11:27:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
14: 2008-05-17 00:54:55 UTC - RP14 - Deckard's System Scanner Restore Point
13: 2008-05-16 03:21:28 UTC - RP13 - Last known good configuration
12: 2008-05-16 03:21:23 UTC - RP12 - Software Distribution Service 3.0
11: 2008-05-16 03:21:23 UTC - RP11 - Removed WinZip 11.1
10: 2008-05-16 03:21:22 UTC - RP10 - System Checkpoint


-- First Restore Point --
1: 2008-05-16 03:21:19 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Pat.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:54 AM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Pat\desktop\dss.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F3E392E9-CD36-480B-BF5D-A27B770DE7A5} - C:\WINDOWS\system32\rqRKDvsS.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9043 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-192121-182 O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
backup-20080513-192122-226 O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - http://www.worldwinn...d/bejeweled.cab
backup-20080513-192122-230 O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload....Plugin11USA.cab
backup-20080513-192122-244 O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
backup-20080513-194250-106 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194254-548 O20 - Winlogon Notify: iifGyWPJ - iifGyWPJ.dll (file missing)
backup-20080513-194422-186 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194622-959 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194857-678 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080513-194857-874 O2 - BHO: (no name) - {6669BF07-492A-4C0A-9A5F-44914E6C3DEE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080513-194905-298 O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - (no file)
backup-20080516-104614-174 O2 - BHO: (no name) - {E3CEEADA-2EA3-48DA-B3FE-E046CAA6F6DF} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-104614-451 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-104614-465 O2 - BHO: {683c000b-3c78-a5eb-afd4-0430430552bf} - {fb255034-0340-4dfa-be5a-87c3b000c386} - C:\WINDOWS\system32\vdvmehpd.dll
backup-20080516-104614-553 O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\gbrblwbh.dll",s
backup-20080516-104614-948 O4 - HKLM\..\Run: [800eeeff] rundll32.exe "C:\WINDOWS\system32\chlytdum.dll",b
backup-20080516-105301-589 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-105301-951 O2 - BHO: (no name) - {3282B91F-376B-4602-9F16-A8119ECEEBAE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-105547-294 O2 - BHO: (no name) - {3282B91F-376B-4602-9F16-A8119ECEEBAE} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080516-105547-589 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080516-110828-924 O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
backup-20080517-002305-145 O4 - HKLM\..\Run: [800eeeff] rundll32.exe "C:\WINDOWS\system32\nyshxyhs.dll",b
backup-20080517-002305-365 O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\jbryrghr.dll",s
backup-20080517-002305-491 O2 - BHO: (no name) - {B7A5B8A8-44BC-42D0-BFBF-3A5ADCB77828} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080517-002446-730 O2 - BHO: {5e05985f-54c1-9f48-2984-e7c67c2e6abd} - {dba6e2c7-6c7e-4892-84f9-1c45f58950e5} - C:\WINDOWS\system32\nmhonaxg.dll (file missing)
backup-20080517-002710-584 O2 - BHO: (no name) - {B7A5B8A8-44BC-42D0-BFBF-3A5ADCB77828} - C:\WINDOWS\system32\rqRKDvsS.dll
backup-20080517-002710-624 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Ventrilo - c:\program files\ventsrv\ventrilo_svc.exe

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1844)
2008-05-13 20:17:58 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2007-08-30 20:00:52 335872 --a------ C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2007-08-17 21:54:42 98304 --a------ C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2007-08-08 19:04:26 577536 --a------ C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>
2006-12-22 13:28:14 271360 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2003-02-20 19:09:34 253952 --a------ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\shfusion.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 07:10:30 572 --a------ C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Pat.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 10:59:01 77062018 --a------ C:\registrybackup2.reg
2008-05-16 20:50:53 835882 --ahs---- C:\WINDOWS\system32\SsvDKRqr.ini2
2008-05-16 20:03:57 76892498 --a------ C:\registrybackup.reg
2008-05-15 16:27:26 0 dr-h----- C:\Documents and Settings\Pat\Recent
2008-05-13 23:10:05 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-05-13 22:08:24 0 d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:52:41 86016 --a------ C:\WINDOWS\system32\YPcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>
2008-05-13 21:52:41 131072 --a------ C:\WINDOWS\system32\ypclsp.dll <Not Verified; Yahoo! Inc.; Yahoo! YPCLSP>
2008-05-13 21:25:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 19:07:58 0 d-------- C:\Program Files\Trend Micro
2008-05-13 16:50:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-13 16:50:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-13 16:50:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-13 16:50:59 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-13 16:50:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-13 16:50:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-13 16:50:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-13 11:43:46 0 d-------- C:\VundoFix Backups
2008-05-12 09:36:21 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2008-05-07 13:13:09 0 d-------- C:\Program Files\Avanquest update
2008-05-07 13:12:55 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12:45 0 d-------- C:\Program Files\WinASPI
2008-05-07 13:12:10 11776 --a------ C:\WINDOWS\system32\LinkDLL.dll <Not Verified; Copyright DVDToMobile INC; LinkDll>
2008-05-07 13:12:10 32256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:11:56 0 d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11:55 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:25:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25:10 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:25:10 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25:05 0 d-------- C:\Program Files\iolo
2008-05-03 13:24:04 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23:11 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22:35 0 d-------- C:\Program Files\Lavasoft
2008-04-21 16:22:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14:20 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-17 11:12:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-16 21:06:00 0 d-------- C:\Documents and Settings\Pat\Application Data\yoclient
2008-05-15 16:54:42 0 d-------- C:\Program Files\Symantec
2008-05-14 21:48:37 0 d-------- C:\Program Files\World of Warcraft
2008-05-13 22:08:50 0 d-------- C:\Program Files\Common Files
2008-05-13 21:52:41 0 d-------- C:\Program Files\Yahoo!
2008-05-13 19:18:58 0 d-------- C:\Program Files\Google
2008-05-08 15:46:18 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-07 13:13:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 16:59:03 0 d-------- C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 10:31:30 0 d-------- C:\Program Files\Microsoft Works
2008-04-21 16:22:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:27:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-20 00:14:41 0 d-------- C:\Program Files\iTunes
2008-04-20 00:12:35 0 d-------- C:\Program Files\QuickTime
2008-04-20 00:06:11 0 d-------- C:\Program Files\Safari
2008-04-17 14:41:13 0 d-------- C:\Documents and Settings\Pat\Application Data\Adobe
2008-04-05 13:05:50 0 d-------- C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 11:20:41 0 d-------- C:\Program Files\QuickTax 2007
2008-03-26 22:44:55 0 d-------- C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-26 22:44:22 0 d-------- C:\Program Files\Video Card Stability Test
2008-03-24 23:27:26 0 d-------- C:\Program Files\Java
2008-03-20 03:00:45 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-18 21:44:06 0 d-------- C:\Program Files\Windows Live
2008-03-18 21:42:39 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3E392E9-CD36-480B-BF5D-A27B770DE7A5}]
13/05/2008 08:17 PM 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [20/03/2003 03:05 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 04:40 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [26/10/2007 03:42 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [27/08/2003 02:20 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [16/07/2002 09:21 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [06/05/2008 04:36 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 01:59 AM]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [14/01/2007 03:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:00 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [15/09/2006 02:27 PM]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [26/09/2007 03:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKDvsS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-05-17 11:30:08 ------------

extra.txt

ckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1022.73 MiB / 540.71 MiB
Pagefile Memory (total/avail): 2464.21 MiB / 1976.01 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.33 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.05 GiB total, 63.73 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160812A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.05 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Security Online v2007 (Symantec Corporation)
AV: Norton Security Online v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pat\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-E60F1FD86
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pat
LOGONSERVER=\\OWNER-E60F1FD86
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
USERDOMAIN=OWNER-E60F1FD86
USERNAME=Pat
USERPROFILE=C:\Documents and Settings\Pat
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Pat (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_2_0_30\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Age of Empires III -->
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Empires III - The WarChiefs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
Any Video Converter 1.0 --> "C:\Program Files\Any Video Converter\unins000.exe"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe" -l0x9 -removeonly
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compel Adaptec WinASPI --> "C:\Program Files\WinASPI\unins000.exe"
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DVD2Pod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A72D1D05-1145-4BDB-AC26-DA88AB4B7B65}\Setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HomeWorks --> MsiExec.exe /X{C698CB91-D535-46D0-851F-E6B6A9B6AE97}
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iolo technologies' System Mechanic 7 --> "C:\Program Files\iolo\System Mechanic 7\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LightScribe 1.4.44.1 -->
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2003 --> MsiExec.exe /I{03410014-3975-4267-9F39-1DC4745090B7}
Microsoft Money 2003 --> MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft Money 2003 System Pack --> MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe D:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
OpenOffice.org 2.3 --> MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
Print Workshop 2007 LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF023DA1-5B52-467E-857C-EAF1BC0604E0}\setup.exe" -l0x9
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTax 2007 --> MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Rogers Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
Video Card Stability Test --> C:\Program Files\Video Card Stability Test\uninstall.exe
WeatherEye --> "C:\Program Files\TheWeatherNetwork\WeatherEye\MMTWNLiveUpdate.exe" /language ENGLISH /uninstall HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WeatherEye,HKEY_CURRENT_USER\Software\MMTWN\WeatherEye
WebFldrs XP -->
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Works Suite OS Pack -->
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Yahoo! Toolbar -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type17496 / Error
Event Submitted/Written: 05/17/2008 11:03:15 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OTMoveIt2.exe, version 1.0.4.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17482 / Success
Event Submitted/Written: 05/17/2008 09:33:42 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type17394 / Error
Event Submitted/Written: 05/16/2008 08:02:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17277 / Success
Event Submitted/Written: 05/15/2008 03:51:02 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type17262 / Error
Event Submitted/Written: 05/15/2008 03:35:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19270 / Error
Event Submitted/Written: 05/15/2008 04:38:18 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type19269 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19266 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19263 / Error
Event Submitted/Written: 05/15/2008 04:30:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type19260 / Error
Event Submitted/Written: 05/15/2008 04:30:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-17 11:30:08 ------------
  • 0

#9
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

STEP 1
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~
In your next reply please have these logs.
The ComboFix log
And a new HijackThis log
  • 0

#10
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
combonfix.txt file

ComboFix 08-05-15.3 - Pat 2008-05-17 13:21:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.634 [GMT -4:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\#SharedObjects\ZDNMZEUR\iforex.com
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\#SharedObjects\ZDNMZEUR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mudtylhc.ini
C:\WINDOWS\system32\shyxhsyn.ini
C:\WINDOWS\system32\SsvDKRqr.ini
C:\WINDOWS\system32\SsvDKRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 10:59 . 2008-05-17 10:59 77,062,018 --a------ C:\registrybackup2.reg
2008-05-16 20:03 . 2008-05-16 20:04 76,892,498 --a------ C:\registrybackup.reg
2008-05-16 11:21 . 2008-05-16 11:21 <DIR> d-------- C:\Deckard
2008-05-16 10:58 . 2008-05-16 10:58 <DIR> d-------- C:\_OTMoveIt
2008-05-15 23:18 . 2008-05-15 23:18 294 ---hs---- C:\WINDOWS\system32\cwguhqhw.ini
2008-05-15 16:54 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-15 16:54 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-15 16:54 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-13 23:01 . 2008-05-13 23:01 268 --ah----- C:\sqmdata18.sqm
2008-05-13 23:01 . 2008-05-13 23:01 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 22:08 . 2008-05-13 22:08 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:54 . 2008-05-13 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-13 21:54 . 2008-05-13 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-13 21:54 . 2008-05-13 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-13 21:54 . 2008-05-13 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-13 21:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-13 21:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-13 21:46 . 2008-05-13 21:46 268 --ah----- C:\sqmdata17.sqm
2008-05-13 21:46 . 2008-05-13 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 21:38 . 2008-05-13 21:38 268 --ah----- C:\sqmdata16.sqm
2008-05-13 21:38 . 2008-05-13 21:38 244 --ah----- C:\sqmnoopt16.sqm
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 21:25 . 2008-05-13 21:25 268 --ah----- C:\sqmdata15.sqm
2008-05-13 21:25 . 2008-05-13 21:25 244 --ah----- C:\sqmnoopt15.sqm
2008-05-13 20:23 . 2008-05-13 20:23 268 --ah----- C:\sqmdata14.sqm
2008-05-13 20:23 . 2008-05-13 20:23 244 --ah----- C:\sqmnoopt14.sqm
2008-05-13 19:55 . 2008-05-13 19:55 268 --ah----- C:\sqmdata13.sqm
2008-05-13 19:55 . 2008-05-13 19:55 244 --ah----- C:\sqmnoopt13.sqm
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 19:01 . 2008-05-13 20:04 1,614 ---hs---- C:\WINDOWS\system32\oslxarar.ini
2008-05-13 17:29 . 2008-05-13 17:29 268 --ah----- C:\sqmdata12.sqm
2008-05-13 17:29 . 2008-05-13 17:29 244 --ah----- C:\sqmnoopt12.sqm
2008-05-13 11:43 . 2008-05-13 11:43 <DIR> d-------- C:\VundoFix Backups
2008-05-12 21:45 . 2008-05-13 17:32 1,314 ---hs---- C:\WINDOWS\system32\dnahtrmx.ini
2008-05-12 21:38 . 2008-05-17 00:10 109,852 --a------ C:\WINDOWS\BM833ddd63.xml
2008-05-12 09:36 . 2008-05-13 20:17 373,760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2008-05-07 13:13 . 2008-05-07 13:13 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-07 13:12 . 2008-05-07 13:12 <DIR> d-------- C:\Program Files\WinASPI
2008-05-07 13:12 . 2008-05-12 23:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12 . 2005-01-20 03:23 32,256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:12 . 2006-04-30 02:32 11,776 --a------ C:\WINDOWS\system32\LinkDLL.dll
2008-05-07 13:11 . 2008-05-07 13:14 <DIR> d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11 . 2008-05-07 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:26 . 2008-05-03 13:26 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Program Files\iolo
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25 . 2008-05-06 16:36 428,904 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-05-03 13:25 . 2008-03-24 08:53 34,304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25 . 2008-03-24 08:53 22,528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:24 . 2008-05-03 13:24 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23 . 2008-05-04 13:03 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22 . 2008-04-21 16:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-21 16:22 . 2008-04-21 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14 . 2008-04-20 00:14 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 15:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 01:06 --------- d-----w C:\Documents and Settings\Pat\Application Data\yoclient
2008-05-15 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 20:54 --------- d-----w C:\Program Files\Symantec
2008-05-15 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-15 01:48 --------- d-----w C:\Program Files\World of Warcraft
2008-05-14 01:52 --------- d-----w C:\Program Files\Yahoo!
2008-05-14 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-13 23:18 --------- d-----w C:\Program Files\Google
2008-05-08 19:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-07 17:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 20:59 --------- d-----w C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 14:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-21 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 04:27 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 04:14 --------- d-----w C:\Program Files\iTunes
2008-04-20 04:12 --------- d-----w C:\Program Files\QuickTime
2008-04-20 04:06 --------- d-----w C:\Program Files\Safari
2008-04-05 17:05 --------- d-----w C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 15:20 --------- d-----w C:\Program Files\QuickTax 2007
2008-03-27 02:44 --------- d-----w C:\Program Files\Video Card Stability Test
2008-03-27 02:44 --------- d-----w C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-25 03:27 --------- d-----w C:\Program Files\Java
2008-03-20 07:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-19 01:44 --------- d-----w C:\Program Files\Windows Live
2008-03-19 01:42 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-19 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-07 13:17 132,552 ----a-w C:\Documents and Settings\Pat\Application Data\GDIPFONTCACHEV1.DAT
2007-06-04 16:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-27 18:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D24687-C632-42ED-B8E7-39984F945355}]
2008-05-13 20:17 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 14:27 2048000]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2007-09-26 15:14 4484816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 15:05 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 11:10:30 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Pat.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:27:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-17 13:32:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 17:31:56
ComboFix2.txt 2008-05-16 03:18:25
ComboFix3.txt 2008-05-14 00:04:56
ComboFix4.txt 2008-05-13 21:06:44

Pre-Run: 68,402,262,016 bytes free
Post-Run: 68,359,671,808 bytes free

197 --- E O F --- 2008-05-16 02:43:14

highjackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:35 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: {8c1eae6c-78fe-8309-f6d4-a7567ad2aa64} - {46aa2da7-657a-4d6f-9038-ef87c6eae1c8} - C:\WINDOWS\system32\nfudrqdq.dll
O2 - BHO: (no name) - {5987087D-7393-40D6-8778-A3A69D6B7965} - C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\umokeqrc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9055 bytes
  • 0

Advertisements


#11
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
combonfix.txt file

ComboFix 08-05-15.3 - Pat 2008-05-17 13:21:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.634 [GMT -4:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\#SharedObjects\ZDNMZEUR\iforex.com
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\#SharedObjects\ZDNMZEUR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Pat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mudtylhc.ini
C:\WINDOWS\system32\shyxhsyn.ini
C:\WINDOWS\system32\SsvDKRqr.ini
C:\WINDOWS\system32\SsvDKRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 10:59 . 2008-05-17 10:59 77,062,018 --a------ C:\registrybackup2.reg
2008-05-16 20:03 . 2008-05-16 20:04 76,892,498 --a------ C:\registrybackup.reg
2008-05-16 11:21 . 2008-05-16 11:21 <DIR> d-------- C:\Deckard
2008-05-16 10:58 . 2008-05-16 10:58 <DIR> d-------- C:\_OTMoveIt
2008-05-15 23:18 . 2008-05-15 23:18 294 ---hs---- C:\WINDOWS\system32\cwguhqhw.ini
2008-05-15 16:54 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-15 16:54 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-15 16:54 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-13 23:01 . 2008-05-13 23:01 268 --ah----- C:\sqmdata18.sqm
2008-05-13 23:01 . 2008-05-13 23:01 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 22:08 . 2008-05-13 22:08 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:54 . 2008-05-13 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-13 21:54 . 2008-05-13 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-13 21:54 . 2008-05-13 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-13 21:54 . 2008-05-13 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-13 21:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-13 21:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-13 21:46 . 2008-05-13 21:46 268 --ah----- C:\sqmdata17.sqm
2008-05-13 21:46 . 2008-05-13 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 21:38 . 2008-05-13 21:38 268 --ah----- C:\sqmdata16.sqm
2008-05-13 21:38 . 2008-05-13 21:38 244 --ah----- C:\sqmnoopt16.sqm
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 21:25 . 2008-05-13 21:25 268 --ah----- C:\sqmdata15.sqm
2008-05-13 21:25 . 2008-05-13 21:25 244 --ah----- C:\sqmnoopt15.sqm
2008-05-13 20:23 . 2008-05-13 20:23 268 --ah----- C:\sqmdata14.sqm
2008-05-13 20:23 . 2008-05-13 20:23 244 --ah----- C:\sqmnoopt14.sqm
2008-05-13 19:55 . 2008-05-13 19:55 268 --ah----- C:\sqmdata13.sqm
2008-05-13 19:55 . 2008-05-13 19:55 244 --ah----- C:\sqmnoopt13.sqm
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 19:01 . 2008-05-13 20:04 1,614 ---hs---- C:\WINDOWS\system32\oslxarar.ini
2008-05-13 17:29 . 2008-05-13 17:29 268 --ah----- C:\sqmdata12.sqm
2008-05-13 17:29 . 2008-05-13 17:29 244 --ah----- C:\sqmnoopt12.sqm
2008-05-13 11:43 . 2008-05-13 11:43 <DIR> d-------- C:\VundoFix Backups
2008-05-12 21:45 . 2008-05-13 17:32 1,314 ---hs---- C:\WINDOWS\system32\dnahtrmx.ini
2008-05-12 21:38 . 2008-05-17 00:10 109,852 --a------ C:\WINDOWS\BM833ddd63.xml
2008-05-12 09:36 . 2008-05-13 20:17 373,760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll
2008-05-07 13:13 . 2008-05-07 13:13 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-07 13:12 . 2008-05-07 13:12 <DIR> d-------- C:\Program Files\WinASPI
2008-05-07 13:12 . 2008-05-12 23:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12 . 2005-01-20 03:23 32,256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:12 . 2006-04-30 02:32 11,776 --a------ C:\WINDOWS\system32\LinkDLL.dll
2008-05-07 13:11 . 2008-05-07 13:14 <DIR> d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11 . 2008-05-07 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:26 . 2008-05-03 13:26 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Program Files\iolo
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25 . 2008-05-06 16:36 428,904 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-05-03 13:25 . 2008-03-24 08:53 34,304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25 . 2008-03-24 08:53 22,528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:24 . 2008-05-03 13:24 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23 . 2008-05-04 13:03 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22 . 2008-04-21 16:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-21 16:22 . 2008-04-21 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14 . 2008-04-20 00:14 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 15:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 01:06 --------- d-----w C:\Documents and Settings\Pat\Application Data\yoclient
2008-05-15 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 20:54 --------- d-----w C:\Program Files\Symantec
2008-05-15 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-15 01:48 --------- d-----w C:\Program Files\World of Warcraft
2008-05-14 01:52 --------- d-----w C:\Program Files\Yahoo!
2008-05-14 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-13 23:18 --------- d-----w C:\Program Files\Google
2008-05-08 19:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-07 17:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 20:59 --------- d-----w C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 14:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-21 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 04:27 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 04:14 --------- d-----w C:\Program Files\iTunes
2008-04-20 04:12 --------- d-----w C:\Program Files\QuickTime
2008-04-20 04:06 --------- d-----w C:\Program Files\Safari
2008-04-05 17:05 --------- d-----w C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 15:20 --------- d-----w C:\Program Files\QuickTax 2007
2008-03-27 02:44 --------- d-----w C:\Program Files\Video Card Stability Test
2008-03-27 02:44 --------- d-----w C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-25 03:27 --------- d-----w C:\Program Files\Java
2008-03-20 07:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-19 01:44 --------- d-----w C:\Program Files\Windows Live
2008-03-19 01:42 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-19 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-07 13:17 132,552 ----a-w C:\Documents and Settings\Pat\Application Data\GDIPFONTCACHEV1.DAT
2007-06-04 16:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-27 18:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D24687-C632-42ED-B8E7-39984F945355}]
2008-05-13 20:17 373760 --a------ C:\WINDOWS\system32\rqRKDvsS.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 14:27 2048000]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2007-09-26 15:14 4484816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 15:05 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 11:10:30 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Pat.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:27:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-17 13:32:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 17:31:56
ComboFix2.txt 2008-05-16 03:18:25
ComboFix3.txt 2008-05-14 00:04:56
ComboFix4.txt 2008-05-13 21:06:44

Pre-Run: 68,402,262,016 bytes free
Post-Run: 68,359,671,808 bytes free

197 --- E O F --- 2008-05-16 02:43:14

highjackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:35 PM, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: {8c1eae6c-78fe-8309-f6d4-a7567ad2aa64} - {46aa2da7-657a-4d6f-9038-ef87c6eae1c8} - C:\WINDOWS\system32\nfudrqdq.dll
O2 - BHO: (no name) - {5987087D-7393-40D6-8778-A3A69D6B7965} - C:\WINDOWS\system32\rqRKDvsS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\umokeqrc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9055 bytes
  • 0

#12
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

STEP 1
Please reopen HijackThis and click on Do a system scan only.And put a check next to the following entries.

O2 - BHO: {8c1eae6c-78fe-8309-f6d4-a7567ad2aa64} - {46aa2da7-657a-4d6f-9038-ef87c6eae1c8} - C:\WINDOWS\system32\nfudrqdq.dll
O2 - BHO: (no name) - {5987087D-7393-40D6-8778-A3A69D6B7965} - C:\WINDOWS\system32\rqRKDvsS.dll
O4 - HKLM\..\Run: [BM833ddd63] Rundll32.exe "C:\WINDOWS\system32\umokeqrc.dll",s

Once you have the checks in those entries please make sure all open windows are closed(keep HijackThis open) and click fix checked on HijackThis.

STEP 2
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the quotebox below into the Notepad window:

File::
C:\WINDOWS\system32\cwguhqhw.ini
C:\WINDOWS\system32\oslxarar.ini
C:\WINDOWS\system32\dnahtrmx.ini
C:\WINDOWS\BM833ddd63.xml
C:\WINDOWS\system32\nfudrqdq.dll
C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\umokeqrc.dll
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2D24687-C632-42ED-B8E7-39984F945355}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#13
suddsy

suddsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
combofix.txt

ComboFix 08-05-15.3 - Pat 2008-05-18 17:00:08.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.664 [GMT -4:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pat\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM833ddd63.xml
C:\WINDOWS\system32\apkvfngj.dll
C:\WINDOWS\system32\apmbpkwr.dll
C:\WINDOWS\system32\cwguhqhw.ini
C:\WINDOWS\system32\dnahtrmx.ini
C:\WINDOWS\system32\nfudrqdq.dll
C:\WINDOWS\system32\oslxarar.ini
C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\umokeqrc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM833ddd63.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apkvfngj.dll
C:\WINDOWS\system32\apmbpkwr.dll
C:\WINDOWS\system32\cwguhqhw.ini
C:\WINDOWS\system32\dnahtrmx.ini
C:\WINDOWS\system32\jgnfvkpa.ini
C:\WINDOWS\system32\lnnybkml.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nfudrqdq.dll
C:\WINDOWS\system32\oslxarar.ini
C:\WINDOWS\system32\rqRKDvsS.dll
C:\WINDOWS\system32\SsvDKRqr.ini
C:\WINDOWS\system32\SsvDKRqr.ini2
C:\WINDOWS\system32\umokeqrc.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 15:06 . 2008-05-18 15:06 118,784 --a------ C:\WINDOWS\system32\nrruniij.dll
2008-05-17 17:47 . 2008-05-17 17:47 <DIR> d-------- C:\WINDOWS\MVUNINST
2008-05-17 17:47 . 2008-05-17 17:47 <DIR> d-------- C:\Program Files\Memorex exPressit Label Design Studio
2008-05-17 17:47 . 2008-05-17 17:47 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-17 17:47 . 2008-05-17 17:47 <DIR> d-------- C:\GLF113.tmp
2008-05-17 10:59 . 2008-05-17 10:59 77,062,018 --a------ C:\registrybackup2.reg
2008-05-16 20:03 . 2008-05-16 20:04 76,892,498 --a------ C:\registrybackup.reg
2008-05-16 11:21 . 2008-05-16 11:21 <DIR> d-------- C:\Deckard
2008-05-16 10:58 . 2008-05-16 10:58 <DIR> d-------- C:\_OTMoveIt
2008-05-15 16:54 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-15 16:54 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-15 16:54 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-13 23:01 . 2008-05-13 23:01 268 --ah----- C:\sqmdata18.sqm
2008-05-13 23:01 . 2008-05-13 23:01 244 --ah----- C:\sqmnoopt18.sqm
2008-05-13 22:08 . 2008-05-13 22:08 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\Yahoo!
2008-05-13 21:54 . 2008-05-13 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-13 21:54 . 2008-05-13 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-13 21:54 . 2008-05-13 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-13 21:54 . 2008-05-13 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-13 21:52 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-13 21:52 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-13 21:46 . 2008-05-13 21:46 268 --ah----- C:\sqmdata17.sqm
2008-05-13 21:46 . 2008-05-13 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-05-13 21:38 . 2008-05-13 21:38 268 --ah----- C:\sqmdata16.sqm
2008-05-13 21:38 . 2008-05-13 21:38 244 --ah----- C:\sqmnoopt16.sqm
2008-05-13 21:25 . 2008-05-13 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-13 21:25 . 2008-05-13 21:25 268 --ah----- C:\sqmdata15.sqm
2008-05-13 21:25 . 2008-05-13 21:25 244 --ah----- C:\sqmnoopt15.sqm
2008-05-13 20:23 . 2008-05-13 20:23 268 --ah----- C:\sqmdata14.sqm
2008-05-13 20:23 . 2008-05-13 20:23 244 --ah----- C:\sqmnoopt14.sqm
2008-05-13 19:55 . 2008-05-13 19:55 268 --ah----- C:\sqmdata13.sqm
2008-05-13 19:55 . 2008-05-13 19:55 244 --ah----- C:\sqmnoopt13.sqm
2008-05-13 19:07 . 2008-05-13 19:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 17:29 . 2008-05-13 17:29 268 --ah----- C:\sqmdata12.sqm
2008-05-13 17:29 . 2008-05-13 17:29 244 --ah----- C:\sqmnoopt12.sqm
2008-05-13 11:43 . 2008-05-13 11:43 <DIR> d-------- C:\VundoFix Backups
2008-05-07 13:13 . 2008-05-07 13:13 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-07 13:12 . 2008-05-07 13:12 <DIR> d-------- C:\Program Files\WinASPI
2008-05-07 13:12 . 2008-05-12 23:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-07 13:12 . 2005-01-20 03:23 32,256 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-05-07 13:12 . 2006-04-30 02:32 11,776 --a------ C:\WINDOWS\system32\LinkDLL.dll
2008-05-07 13:11 . 2008-05-07 13:14 <DIR> d-------- C:\Program Files\DVD2Pod
2008-05-07 13:11 . 2008-05-07 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-03 13:26 . 2008-05-03 13:26 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Program Files\iolo
2008-05-03 13:25 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 13:25 . 2008-05-06 16:36 428,904 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-05-03 13:25 . 2008-03-24 08:53 34,304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 13:25 . 2008-03-24 08:53 22,528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 13:24 . 2008-05-03 13:24 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 13:23 . 2008-05-04 13:03 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-03 13:23 . 2008-05-03 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-04-21 16:22 . 2008-04-21 16:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-21 16:22 . 2008-04-21 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 00:14 . 2008-04-20 00:14 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 17:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 01:06 --------- d-----w C:\Documents and Settings\Pat\Application Data\yoclient
2008-05-15 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 20:54 --------- d-----w C:\Program Files\Symantec
2008-05-15 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-15 01:48 --------- d-----w C:\Program Files\World of Warcraft
2008-05-14 01:52 --------- d-----w C:\Program Files\Yahoo!
2008-05-14 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-13 23:18 --------- d-----w C:\Program Files\Google
2008-05-08 19:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-07 17:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 20:59 --------- d-----w C:\Documents and Settings\Pat\Application Data\OpenOffice.org2
2008-05-04 14:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-21 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 04:27 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 04:14 --------- d-----w C:\Program Files\iTunes
2008-04-20 04:12 --------- d-----w C:\Program Files\QuickTime
2008-04-20 04:06 --------- d-----w C:\Program Files\Safari
2008-04-05 17:05 --------- d-----w C:\Documents and Settings\Pat\Application Data\Apple Computer
2008-03-30 15:20 --------- d-----w C:\Program Files\QuickTax 2007
2008-03-27 02:44 --------- d-----w C:\Program Files\Video Card Stability Test
2008-03-27 02:44 --------- d-----w C:\Documents and Settings\Pat\Application Data\FreeStone Group
2008-03-25 03:27 --------- d-----w C:\Program Files\Java
2008-03-20 07:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-19 01:44 --------- d-----w C:\Program Files\Windows Live
2008-03-19 01:42 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-19 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-07 13:17 132,552 ----a-w C:\Documents and Settings\Pat\Application Data\GDIPFONTCACHEV1.DAT
2007-06-04 16:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2003-08-27 18:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( [email protected]_13.31.39.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 17:26:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 21:04:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-12-28 14:26:38 106,496 ----a-w C:\WINDOWS\MVUNINST\App1\MVUN1.DLL
+ 2006-01-06 16:12:04 110,208 ----a-w C:\WINDOWS\MVUNINST\App1\mvuninst.exe
+ 2003-05-08 17:07:36 149,504 ----a-w C:\WINDOWS\MVUNINST\App1\unwise.exe
+ 2008-05-17 18:22:55 1,519 ----a-w C:\WINDOWS\system32\config\SM Registry Backup\05-17-2008 14.22.19\restore.bat
- 2008-04-09 07:10:02 378,448 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-17 23:05:59 420,632 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 14:27 2048000]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2007-09-26 15:14 4484816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 15:05 774144]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 03:11 771704]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 21:26:55 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Pat.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 17:05:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-05-18 17:10:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 21:10:11
ComboFix2.txt 2008-05-17 17:32:02
ComboFix3.txt 2008-05-16 03:18:25
ComboFix4.txt 2008-05-14 00:04:56
ComboFix5.txt 2008-05-13 21:06:44

Pre-Run: 68,165,677,056 bytes free
Post-Run: 68,212,830,208 bytes free

228 --- E O F --- 2008-05-16 02:43

hijackit.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:58 PM, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Pat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mdg.ca/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - http://www.albatross...2/cabs/A18X.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.c...driveragent.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8615 bytes
  • 0

#14
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
sorry wrong post.

Edited by Jimmy2012, 18 May 2008 - 11:23 PM.

  • 0

#15
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello suddsy,

STEP 1
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\nrruniij.dll



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt

STEP 2
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

STEP 3
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~
In your next reply please have these logs.(you may need to use more then one reply for all of the logs to fit)
The ComboFix log
The MalwareBytes log
The Kaspersky log
A new HijackThis log
And please tell me if you are still having any errors or other problems with your computer
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP