Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Warning spyware threat has been detected on your pc [RESOLVED]


  • This topic is locked This topic is locked

#1
mdcbk

mdcbk

    Member

  • Member
  • PipPip
  • 18 posts
This warning: "Warning spyware threat has been detected on your pc" is pasted on my desktop. I can't access any internet sites such as geeks to go, Task manager is disabled,and I get constant warnings that my computer is infected. This happened to my kids PC a few weeks ago, and I was able to fix it by downloading Combofix, etc onto my computer and transferring via a flash drive. Now this mess is on my computer. I was able to open and run AVG and spybot, and CW shredder,although I can't update them. They found downloader.agent.kwg and dropper.small.j, among others. But its all still there. I can't open combofix or any of the other programs suggested. I click on the icon or choose them from program files, and nothing happens. I can't download anything from the internet. Here's my hijack this log, saved on a flash drive.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\xwusuhzh.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194061436484
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194063366734
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Convar task manager (ctm) - Convar Deutschland GmbH - C:\Program Files\Convar\TaskManager\ctm.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\ALLPOW~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11187 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK seeing as how you cannot use Combofix, lets see if we can start cleaning this machine manually.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\ALLPOW~1\LOCALS~1\Temp\hpdj.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe

After that, Reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets have a deeper look into your computer. Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of DSS main.txt
  • The contents of DSS extra.txt

By the way, please avoid using the flash drive as it may be what is spreading this infection. If you can burn things to a CD this would be preferable for now.

Regards,
RatHat
  • 0

#3
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks for your help RatHat!

Here are the Deckard scans:

Deckard's System Scanner v20071014.68
Run by ALL POWERFUL MOM on 2008-05-22 16:13:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2008-05-22 21:13:57 UTC - RP532 - Deckard's System Scanner Restore Point
26: 2008-05-22 21:05:23 UTC - RP531 - Removed Microsoft AntiSpyware
25: 2008-05-21 03:22:28 UTC - RP530 - Removed Ad-Aware 2007
24: 2008-05-21 01:54:36 UTC - RP529 - System Checkpoint
23: 2008-05-20 01:08:08 UTC - RP528 - Ad-Aware Restore Point 2008-05-19 20:08:01


-- First Restore Point --
1: 2008-04-27 21:32:49 UTC - RP506 - Printer Driver Amyuni Document Converter 2.51 Installed


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ALL POWERFUL MOM.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16, on 2008-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
H:\dss.exe
C:\PROGRA~1\ALL POWERFUL MOM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194061436484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194063366734
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Convar task manager (ctm) - Unknown owner - C:\Program Files\Convar\TaskManager\ctm.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8511 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\backups\) -----------------------------

backup-20080522-155003-937 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
backup-20080522-155003-716 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
backup-20080522-155003-112 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
backup-20080522-155003-926 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
backup-20080522-155003-748 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
backup-20080522-155003-956 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
backup-20080522-155003-155 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
backup-20080522-155003-824 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
backup-20080522-155003-817 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
backup-20080522-155003-571 O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
backup-20080522-155003-308 O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
backup-20080522-155003-832 O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
backup-20080522-155003-199 O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
backup-20080522-155003-441 O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
backup-20080522-155003-360 O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
backup-20080522-155003-695 O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
backup-20080522-155003-424 O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
backup-20080522-155003-503 O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
backup-20080522-155003-938 O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
backup-20080522-155003-710 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
backup-20080522-155003-660 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
backup-20080522-155003-543 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
backup-20080522-155003-895 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
backup-20080522-155003-838 O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
backup-20080522-155003-214 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
backup-20080522-155003-634 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
backup-20080522-155003-107 O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe
backup-20080522-155003-220 O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildt...lim/install.cab
backup-20080522-155006-246 O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
backup-20080522-155010-389 O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\ALLPOW~1\LOCALS~1\Temp\hpdj.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ipinipp - c:\windows\system32\drivers\ipinipp.sys
R2 V7 - c:\windows\system32\drivers\v7.sys <Not Verified; IBM Corporation; IBM V7 Driver for Windows NT/2000>

S3 OASIS - c:\windows\system32\drivers\oasisusb.sys <Not Verified; Creative Technology Ltd; NOMAD JukeBox USB Driver>
S3 TnIDriver - c:\docume~1\allpow~1\locals~1\temp\tni79.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ctm (Convar task manager) - c:\program files\convar\taskmanager\ctm.exe (file missing)
S4 hpdj - c:\docume~1\allpow~1\locals~1\temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 3600 series -product= (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-11 18:43:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2003-10-27 16:02:20 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job


-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-22 15:50:03 0 d-------- C:\Program Files\backups
2008-05-19 22:18:49 16640 --a------ C:\WINDOWS\mssys.exe
2008-05-19 19:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 19:15:40 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-19 19:15:40 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-19 19:14:56 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-19 19:14:56 14368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-19 19:14:56 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-19 19:07:21 20480 --a------ C:\WINDOWS\sistem.exe
2008-05-19 19:07:20 27904 --a------ C:\WINDOWS\notepad32.exe
2008-05-19 19:07:20 19712 --a------ C:\WINDOWS\mtwirl32.dll
2008-05-19 19:07:19 24064 --a------ C:\WINDOWS\iexplorer.exe
2008-05-19 19:07:19 30464 --a------ C:\WINDOWS\explore.exe
2008-05-19 19:07:18 29440 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-19 19:07:18 15104 --a------ C:\WINDOWS\avpcc.dll
2008-05-18 19:14:27 0 d-------- C:\Program Files\uTorrent
2008-05-18 17:52:59 0 dr-h----- C:\Documents and Settings\ALL POWERFUL MOM\Recent
2008-05-18 17:38:43 0 d-------- C:\kav
2008-05-18 14:50:03 19968 --a------ C:\WINDOWS\y.exe
2008-05-18 14:50:02 17152 --a------ C:\WINDOWS\xplugin.dll
2008-05-18 14:50:02 27904 --a------ C:\WINDOWS\x.exe
2008-05-18 14:50:01 8704 --a------ C:\WINDOWS\winmgnt.exe
2008-05-18 14:50:01 14080 --a------ C:\WINDOWS\window.exe
2008-05-18 14:50:01 14848 --a------ C:\WINDOWS\winajbm.dll
2008-05-18 14:50:01 21760 --a------ C:\WINDOWS\win64.exe
2008-05-18 14:50:00 25600 --a------ C:\WINDOWS\win32e.exe
2008-05-18 14:50:00 19456 --a------ C:\WINDOWS\waol.exe
2008-05-18 14:49:59 13312 --a------ C:\WINDOWS\users32.exe
2008-05-18 14:49:59 27904 --a------ C:\WINDOWS\time.exe
2008-05-18 14:49:58 20224 --a------ C:\WINDOWS\systemcritical.exe
2008-05-18 14:49:57 31744 --a------ C:\WINDOWS\systeem.exe
2008-05-18 14:49:55 28416 --a------ C:\WINDOWS\svcinit.exe
2008-05-18 14:49:54 31232 --a------ C:\WINDOWS\svchost32.exe
2008-05-18 14:49:51 22528 --a------ C:\WINDOWS\searchword.dll
2008-05-18 14:49:50 29696 --a------ C:\WINDOWS\rundll16.exe
2008-05-18 14:49:49 23552 --a------ C:\WINDOWS\quicken.exe
2008-05-18 14:49:48 29440 --a------ C:\WINDOWS\qttasks.exe
2008-05-18 14:49:48 23552 --a------ C:\WINDOWS\olehelp.exe
2008-05-18 14:49:45 25088 --a------ C:\WINDOWS\mswsc20.dll
2008-05-18 14:49:45 12800 --a------ C:\WINDOWS\mswsc10.dll
2008-05-18 14:49:45 18176 --a------ C:\WINDOWS\msupdate.exe
2008-05-18 14:49:44 31744 --a------ C:\WINDOWS\msspi.dll
2008-05-18 14:49:43 28672 --a------ C:\WINDOWS\msconfd.dll
2008-05-18 14:49:43 29184 --a------ C:\WINDOWS\loader.exe
2008-05-18 14:49:42 12032 --a------ C:\WINDOWS\internet.exe
2008-05-18 14:49:42 11520 --a------ C:\WINDOWS\inetinf.exe
2008-05-18 14:49:41 19712 --a------ C:\WINDOWS\iedll.exe
2008-05-18 14:49:41 17664 --a------ C:\WINDOWS\helpcvs.exe
2008-05-18 14:49:41 28672 --a------ C:\WINDOWS\gfmnaaa.dll
2008-05-18 14:49:40 24832 --a------ C:\WINDOWS\funny.exe
2008-05-18 14:49:40 10752 --a------ C:\WINDOWS\funniest.exe
2008-05-18 14:49:40 30976 --a------ C:\WINDOWS\explorer32.exe
2008-05-18 14:49:39 29696 --a------ C:\WINDOWS\editpad.exe
2008-05-18 14:49:38 10496 --a------ C:\WINDOWS\dnsrelay.dll
2008-05-18 14:49:38 31744 --a------ C:\WINDOWS\directx32.exe
2008-05-18 14:49:36 17664 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-18 14:49:36 19968 --a------ C:\WINDOWS\cpan.dll
2008-05-18 14:49:36 25344 --a------ C:\WINDOWS\clrssn.exe
2008-05-18 14:49:35 32000 --a------ C:\WINDOWS\accesss.exe
2008-05-18 13:37:03 0 d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent
2008-05-18 13:32:09 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-18 13:31:30 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-05-18 13:31:03 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-05-18 13:30:58 401968 --a------ C:\WINDOWS\system32\g77.exe
2008-05-18 13:30:51 49155 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-05-18 13:30:47 86144 --a------ C:\WINDOWS\system32\drivers\ipinipp.sys
2008-05-18 13:30:47 0 d-------- C:\Program Files\winvi
2008-05-18 13:30:44 0 d-------- C:\WINDOWS\system32\polX
2008-05-18 13:30:43 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-18 13:30:43 0 d-------- C:\WINDOWS\system32\binR
2008-05-18 13:30:37 0 d-------- C:\WINDOWS\system32\3036a
2008-05-18 13:30:23 0 d-------- C:\WINDOWS\system32\logXv06
2008-05-18 13:30:03 0 d-------- C:\Program Files\QdrModule
2008-05-18 13:29:35 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 13:29:16 87513 --a------ C:\WINDOWS\system32\xwusuhzh.exe <Not Verified; Microsoft; XML Media>
2008-05-17 00:29:20 226698 --a------ C:\WINDOWS\system32\000060.exe
2008-05-09 13:10:08 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-09 12:10:10 229514 --a------ C:\WINDOWS\system32\000090.exe
2008-05-07 20:53:37 68096 --a------ C:\WINDOWS\zip.exe
2008-05-07 20:53:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-07 20:53:37 80412 --a------ C:\WINDOWS\grep.exe
2008-05-07 20:53:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-07 20:53:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-07 20:53:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-07 20:53:36 98816 --a------ C:\WINDOWS\sed.exe
2008-05-07 20:53:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 19:03:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-07 19:02:57 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 12:52:24 0 d-------- C:\WINDOWS\Cache
2008-04-25 12:52:21 0 d-------- C:\Program Files\Coupons


-- Find3M Report ---------------------------------------------------------------

2008-05-22 16:16:24 8512 --a------ C:\Program Files\hijackthis.log
2008-05-22 16:10:16 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-18 19:10:00 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-15 10:25:02 0 d-------- C:\Program Files\ToniArts
2008-04-10 15:01:02 0 d-------- C:\Program Files\Seagate
2008-04-10 14:54:54 0 d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Ceedo
2008-03-27 17:21:14 0 d-------- C:\Program Files\Logitech
2008-03-27 17:14:08 0 d-------- C:\Program Files\Common Files\logishrd


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 05:40]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-09-10 19:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"NvCplDaemon"="NvQTwk" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"iTunesHelper"="D:\Program files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 19:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2002-06-05 21:54:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ELSBLaunch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ELSBLaunch.lnk
backup=C:\WINDOWS\pss\ELSBLaunch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\rcntskdm.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iinl]
"C:\DOCUME~1\ALLPOW~1\MYDOCU~1\SEMBLY~1\dllhost.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
"C:\Program Files\QdrModule\QdrModule16.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
"C:\Program Files\winvi\wupda.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
"C:\Program Files\winvi\update.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2B-B0-04-46-DW}]
c:\windows\system32\rwwnw64d.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ccf21da4-7122-5523-dd9d-97191a6924a8}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{0f456cef-2b4e-05b1-6c18-a74c1571037b}.dll" DllInit

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-22 16:22:14 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.50GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 255.53 MiB / 79.46 MiB
Pagefile Memory (total/avail): 617.35 MiB / 263.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.29 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 15.6 GiB total, 4.08 GiB free.
D: is Fixed (NTFS) - 58.9 GiB total, 51.09 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD800BB-00CAA1 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 15.63 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 58.9 GiB - D:

\\.\PHYSICALDRIVE1 - USB Flash Memory USB Device - 980.53 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 982.98 MiB - H:

\\.\PHYSICALDRIVE2 - HP PSC 2355 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SUPPORT.COM\\CLIENT\\bin\\tgcmd.exe"="C:\\Program Files\\SUPPORT.COM\\CLIENT\\bin\\tgcmd.exe:*:Disabled:tgcmd Module"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\\Program files\\iTunes\\iTunes.exe"="D:\\Program files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ALL POWERFUL MOM\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ALL POWERFUL MOM
LOGONSERVER=\\MO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ALLPOW~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ALLPOW~1\LOCALS~1\Temp
USERDOMAIN=MO
USERNAME=ALL POWERFUL MOM
USERPROFILE=C:\Documents and Settings\ALL POWERFUL MOM
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ALL POWERFUL MOM (admin)
Administrator (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\Setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21313051-BEA2-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CAF07A2-BEA4-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7052066D-7016-11D5-B89E-00B0D0D26B88}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B960F4A0-BEEF-4170-86CD-57CABE6237E6}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D54AAC0A-BE99-11D4-8FA4-00B0D02D2438}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArcSoft Camera Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Canon FV40, ZR70 MC WIA Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{31A6128F-F211-44EC-AE67-3B06FC4721BE}
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}
Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu"
Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"
Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"
Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll"
Citrix Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove/remove
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DesignPro 5.0 Media Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BC8032F1-0D5E-43C6-B14A-77AC8F9690B5}
DiMAGE Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\Setup.exe" -l0x9 anything
DVDExpress --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"
DVgate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{29F61465-428A-11D4-B646-00C04F790F76}\setup.exe"
EarthLink spamBlocker Add-On --> MsiExec.exe /I{45EF1D41-FAC7-4204-A0B1-D9F05E0C7DB6}
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
FreeAgent Go Tools --> C:\Program Files\InstallShield Installation Information\{ECD43B7A-CB3B-4AF8-91F6-C460A575E411}\setup.exe -runfromtemp -l0x0409
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar5.dll"
HijackThis 2.0.2 --> "C:\Program Files\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KONICA_MINOLTA DiMAGE remote camera driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99E67091-D392-4031-AD2A-E9547F3615F8}\setup.exe" -l0x9
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Media Bar 3.2.11 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FAF5A9F-7EDE-4F1A-B082-C95A9F420630}\SETUP.EXE"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Home Publishing 2000 --> MsiExec.exe /I{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Motion JPEG Software Decoder --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sony\Motion JPEG Software Decoder\Uninst.isu"
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Move Networks\ie_bin\unins000.exe"
MovieShaker 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4A49B00-02F8-11D5-B64D-00C04F790F76}\setup.exe"
Music Visualizer Library 1.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\Setup.exe"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvsy.inf
OpenMG Secure Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A228A09C-4826-42E0-A3D8-95B2BAAB5049}\setup.exe" UNINSTALL
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
PC Inspector File Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PC Inspector task manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A14B81F-005A-4C32-A968-45165CAB4891}\Setup.exe" -l0x9
PicoPlayer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8139011A-4039-46C7-8614-A3F8948121AD}\setup.exe"
PrintMaster Gold 3.00 --> c:\pmw\msrun.exe
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RealProducer Basic 8.5 --> C:\Program Files\Real\RealProducer\rnuninst.exe RealNetworks|RealProducer|8.5
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
SonicStage --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E535DC62-56D6-11D5-8AE3-00105A7276CD}\setup.exe" UNINSTALL
SonicStage CD-R Writing Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3CB4DC0-4FC0-11D5-9254-0000F460E7A9}\Setup.exe"
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony DV Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Spybot - Search & Destroy 1.2 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Support Actions Win2K,WinXP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48BE827A-2D06-4804-90C3-4F2F8460F9D4}\setup.exe"
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
V CAST Music Manager --> C:\PROGRA~1\VERIZO~1\VCASTM~1\Setup.exe /remove /q0
VAIO Action Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C67D8C0-F0EC-11D3-99D3-00C04FCCB775}\setup.exe"
VAIO Grid Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21CF3E6E-1659-433E-B6CE-165D793560DA}\setup.exe"
VAIO Help & Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6060E6A1-5342-4D2B-8F66-B6D6E20BBD03}\setup.exe"
VAIO Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6DF804A8-2CC2-4D22-A958-4534F6EC3C76}\setup.exe"
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VAIOWorld --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{601B53EE-509D-4649-9173-14A864F1E807}\setup.exe"
VisualFlow 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5B0ABC0-3177-11D3-AC45-0000F879D920}\setup.exe" /Uninstall
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type18190 / Warning
Event Submitted/Written: 05/22/2008 04:03:27 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'

Event Record #/Type18189 / Warning
Event Submitted/Written: 05/22/2008 04:03:27 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type18188 / Warning
Event Submitted/Written: 05/22/2008 04:03:27 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'

Event Record #/Type18187 / Warning
Event Submitted/Written: 05/22/2008 04:03:27 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type18186 / Warning
Event Submitted/Written: 05/22/2008 04:03:22 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type78475 / Error
Event Submitted/Written: 05/22/2008 04:05:51 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type78472 / Error
Event Submitted/Written: 05/22/2008 04:05:51 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type78469 / Error
Event Submitted/Written: 05/22/2008 04:05:51 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type78466 / Error
Event Submitted/Written: 05/22/2008 04:05:51 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type78463 / Error
Event Submitted/Written: 05/22/2008 04:05:51 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-05-22 16:22:14 ------------
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please uninstall the following program if found:

uTorrent

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I would like you to back up your registry:
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next I need you to run a small registry script to clean up some entries. Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C, and starting from REGEDIT4

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=-
"DisableTaskMgr"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iinl]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{2B-B0-04-46-DW}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ccf21da4-7122-5523-dd9d-97191a6924a8}]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\mssys.exe
C:\WINDOWS\sistem.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\y.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\x.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\win64.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\time.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\msupdate.exe
C:\WINDOWS\msspi.dll
C:\WINDOWS\msconfd.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\funny.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\accesss.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\g77.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\000060.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\000090.exe
C:\Program Files\winvi



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply, along with a fresh DSS log. (Note that DSS will only produce the log main.txt this time)

Regards,
RatHat.
  • 0

#5
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I was able to download ERUNT and run the registry script. I copied OTMoveit2 onto a CD from another computer (still couldn't access many websites) Just like with combofix, I couldn't open the program. On a whim, I decided to change one letter of the icon name on my desktop and after that, it opened up. I pasted and moved the files, although I don't think all of them moved. The log is below. After this I decided to see what would happen if I renamed the icon on mbam-setup (which I had downloaded at the beginning of this adventure). Guess what, Malwarebytes opened and ran also, identifying a number of trojans and adware. At this point I clicked on Combofix (without renaming it) and it ran this time. That log is also attached. Finally, I ran a DSS scan again, also attached.
I now have task manager back, my desktop is under my control, and I can access any site on the internet. My computer appears to be a whole lot cleaner, hopefully you can tell me if its clean enough.
Is it possible that whatever infected my system really was smart enough to not let known cleaning programs run, yet dumb enough to be fooled by a name change? Thanks for your continued assistance in all this!

OTmoveit2 log:

C:\WINDOWS\mssys.exe moved successfully.
C:\WINDOWS\sistem.exe moved successfully.
C:\WINDOWS\notepad32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\mtwirl32.dll NOT unregistered.
C:\WINDOWS\mtwirl32.dll moved successfully.
C:\WINDOWS\iexplorer.exe moved successfully.
C:\WINDOWS\explore.exe moved successfully.
C:\WINDOWS\y.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\xplugin.dll
C:\WINDOWS\xplugin.dll NOT unregistered.
C:\WINDOWS\xplugin.dll moved successfully.
C:\WINDOWS\x.exe moved successfully.
C:\WINDOWS\winmgnt.exe moved successfully.
C:\WINDOWS\window.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\winajbm.dll
C:\WINDOWS\winajbm.dll NOT unregistered.
C:\WINDOWS\winajbm.dll moved successfully.
C:\WINDOWS\win64.exe moved successfully.
C:\WINDOWS\win32e.exe moved successfully.
C:\WINDOWS\waol.exe moved successfully.
C:\WINDOWS\users32.exe moved successfully.
C:\WINDOWS\time.exe moved successfully.
C:\WINDOWS\systemcritical.exe moved successfully.
C:\WINDOWS\systeem.exe moved successfully.
C:\WINDOWS\svcinit.exe moved successfully.
C:\WINDOWS\svchost32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\searchword.dll
C:\WINDOWS\searchword.dll NOT unregistered.
C:\WINDOWS\searchword.dll moved successfully.
C:\WINDOWS\rundll16.exe moved successfully.
C:\WINDOWS\quicken.exe moved successfully.
C:\WINDOWS\qttasks.exe moved successfully.
C:\WINDOWS\olehelp.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc20.dll NOT unregistered.
C:\WINDOWS\mswsc20.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc10.dll NOT unregistered.
C:\WINDOWS\mswsc10.dll moved successfully.
C:\WINDOWS\msupdate.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\msspi.dll
C:\WINDOWS\msspi.dll NOT unregistered.
C:\WINDOWS\msspi.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msconfd.dll
C:\WINDOWS\msconfd.dll NOT unregistered.
C:\WINDOWS\msconfd.dll moved successfully.
C:\WINDOWS\loader.exe moved successfully.
C:\WINDOWS\internet.exe moved successfully.
C:\WINDOWS\inetinf.exe moved successfully.
C:\WINDOWS\iedll.exe moved successfully.
C:\WINDOWS\helpcvs.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\gfmnaaa.dll NOT unregistered.
C:\WINDOWS\gfmnaaa.dll moved successfully.
C:\WINDOWS\funny.exe moved successfully.
C:\WINDOWS\funniest.exe moved successfully.
C:\WINDOWS\explorer32.exe moved successfully.
C:\WINDOWS\editpad.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\dnsrelay.dll NOT unregistered.
C:\WINDOWS\dnsrelay.dll moved successfully.
C:\WINDOWS\directx32.exe moved successfully.
C:\WINDOWS\ctfmon32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\cpan.dll
C:\WINDOWS\cpan.dll NOT unregistered.
C:\WINDOWS\cpan.dll moved successfully.
C:\WINDOWS\clrssn.exe moved successfully.
C:\WINDOWS\accesss.exe moved successfully.
C:\WINDOWS\system32\winpfz33.sys moved successfully.
C:\WINDOWS\mrofinu1000106.exe moved successfully.
C:\WINDOWS\mrofinu72.exe moved successfully.
C:\WINDOWS\system32\g77.exe moved successfully.
C:\WINDOWS\system32\rwwnw64d.exe moved successfully.
C:\WINDOWS\system32\000060.exe moved successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe moved successfully.
C:\WINDOWS\system32\000090.exe moved successfully.
C:\Program Files\winvi\dsktp moved successfully.
C:\Program Files\winvi moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05232008_191142

Maware bytes log:
Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 132369
Time elapsed: 29 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\GUI2\FI-dt4x.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\polX\roEbdll2.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\05232008_191142\Program Files\winvi\wupda.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.



deckard system scan:

Deckard's System Scanner v20071014.68
Run by ALL POWERFUL MOM on 2008-05-23 20:40:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ALL POWERFUL MOM.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:31 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ALL POWERFUL MOM\Desktop\dss.exe
C:\PROGRA~1\ALLPOW~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194061436484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194063366734
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Convar task manager (ctm) - Unknown owner - C:\Program Files\Convar\TaskManager\ctm.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8278 bytes

-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 20:04:26 4122 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 19:18:31 0 d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Malwarebytes
2008-05-23 19:18:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 19:18:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 19:16:25 0 d-------- C:\BomboFix
2008-05-22 15:50:03 0 d-------- C:\Program Files\backups
2008-05-19 19:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 19:15:40 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-19 19:15:40 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-19 19:14:56 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-19 19:14:56 20512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-19 19:14:56 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-19 19:07:18 29440 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-19 19:07:18 15104 --a------ C:\WINDOWS\avpcc.dll
2008-05-18 17:52:59 0 dr-h----- C:\Documents and Settings\ALL POWERFUL MOM\Recent
2008-05-18 17:38:43 0 d-------- C:\kav
2008-05-18 13:37:03 0 d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent
2008-05-18 13:30:44 0 d-------- C:\WINDOWS\system32\polX
2008-05-18 13:30:43 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-18 13:30:43 0 d-------- C:\WINDOWS\system32\binR
2008-05-18 13:30:37 0 d-------- C:\WINDOWS\system32\3036a
2008-05-18 13:30:23 0 d-------- C:\WINDOWS\system32\logXv06
2008-05-18 13:29:35 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 13:29:16 87513 --a------ C:\WINDOWS\system32\xwusuhzh.exe <Not Verified; Microsoft; XML Media>
2008-05-07 20:53:37 68096 --a------ C:\WINDOWS\zip.exe
2008-05-07 20:53:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-07 20:53:37 80412 --a------ C:\WINDOWS\grep.exe
2008-05-07 20:53:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-07 20:53:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-07 20:53:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-07 20:53:36 98816 --a------ C:\WINDOWS\sed.exe
2008-05-07 20:53:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 19:03:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-07 19:02:57 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 12:52:24 0 d-------- C:\WINDOWS\Cache
2008-04-25 12:52:21 0 d-------- C:\Program Files\Coupons


-- Find3M Report ---------------------------------------------------------------

2008-05-23 20:40:32 8279 --a------ C:\Program Files\hijackthis.log
2008-05-22 16:10:16 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-18 19:10:00 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-15 10:25:02 0 d-------- C:\Program Files\ToniArts
2008-04-10 15:01:02 0 d-------- C:\Program Files\Seagate
2008-04-10 14:54:54 0 d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Ceedo
2008-03-27 17:21:14 0 d-------- C:\Program Files\Logitech
2008-03-27 17:14:08 0 d-------- C:\Program Files\Common Files\logishrd


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [06/21/2004 05:40 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"NvCplDaemon"="NvQTwk" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 02:54 PM]
"iTunesHelper"="D:\Program files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [01/18/2007 01:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/19/2007 07:48 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [9/8/2001 12:51:48 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/28/2004 11:06:36 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [6/5/2002 9:54:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ELSBLaunch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ELSBLaunch.lnk
backup=C:\WINDOWS\pss\ELSBLaunch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
"C:\Program Files\QdrModule\QdrModule16.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-05-23 20:41:34 ------------
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Yes this can happen with new malware variants, and it was well done on your part for doing the renaming!

Now lets see if we can run Combofix properly and clean up any remaining rubbish. Firstly, delete any versions of Combofix that you have on the computer.

Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards,
RatHat
  • 0

#7
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Combofix log is below-Thank you again!

ComboFix 08-05-21.3 - ALL POWERFUL MOM 2008-05-24 13:18:03.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.45 [GMT -5:00]
Running from: C:\Documents and Settings\ALL POWERFUL MOM\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\ALL POWERFUL MOM\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 13:01 . 2008-05-24 13:01 <DIR> d-------- C:\ComboFix
2008-05-24 12:32 . 2008-05-24 12:32 <DIR> d-------- C:\fixwareout
2008-05-23 20:04 . 2008-05-23 20:04 4,122 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Malwarebytes
2008-05-23 19:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-23 19:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-23 19:16 . 2008-05-23 19:16 <DIR> d-------- C:\BomboFix
2008-05-23 19:11 . 2008-05-23 19:11 <DIR> d-------- C:\_OTMoveIt
2008-05-23 18:55 . 2008-05-23 18:55 <DIR> d-------- C:\Program Files\ERUNT
2008-05-22 16:16 . 2008-05-18 20:20 401,720 --a------ C:\Program Files\ALL POWERFUL MOM.exe
2008-05-22 16:13 . 2008-05-22 16:13 <DIR> d-------- C:\Deckard
2008-05-22 15:50 . 2008-05-22 15:50 <DIR> d-------- C:\Program Files\backups
2008-05-19 19:51 . 2008-05-19 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-19 19:15 . 2008-05-23 20:48 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-19 19:15 . 2008-05-23 20:48 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-19 19:14 . 2008-05-19 19:14 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-19 19:14 . 2008-05-23 21:04 869,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-19 19:14 . 2008-05-23 21:04 1,292 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-19 19:14 . 2008-05-23 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-19 19:14 . 2008-05-23 21:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-19 19:07 . 2008-05-19 19:07 29,440 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-19 19:07 . 2008-05-19 19:07 15,104 --a------ C:\WINDOWS\avpcc.dll
2008-05-18 20:13 . 2008-05-18 20:20 401,720 --a------ C:\Program Files\HijackThis.exe
2008-05-18 17:38 . 2008-05-18 17:38 <DIR> d-------- C:\kav
2008-05-18 14:50 . 2008-05-18 14:50 11,776 --a------ C:\WINDOWS\xxxvideo.hta
2008-05-18 14:49 . 2008-05-18 14:49 29,696 --a------ C:\WINDOWS\rundll32.vbe
2008-05-18 14:49 . 2008-05-18 14:49 10,496 --a------ C:\WINDOWS\astctl32.ocx
2008-05-18 13:37 . 2008-05-18 13:37 <DIR> d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent
2008-05-18 13:31 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\polX
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\GUI2
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\binR
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\3036a
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\Temp\dmpxp32
2008-05-18 13:29 . 2008-05-18 13:29 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 13:28 . 2008-05-22 16:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 13:28 . 2008-05-18 13:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 19:03 . 2008-05-07 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-07 19:02 . 2008-05-07 19:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 12:52 . 2008-04-25 12:52 <DIR> d-------- C:\WINDOWS\Cache
2008-04-25 12:52 . 2008-04-25 12:52 <DIR> d-------- C:\Program Files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:40 8,279 ----a-w C:\Program Files\hijackthis.log
2008-04-15 15:25 --------- d-----w C:\Program Files\ToniArts
2008-04-10 20:01 --------- d-----w C:\Program Files\Seagate
2008-04-10 19:54 --------- d-----w C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Ceedo
2008-03-27 22:21 --------- d-----w C:\Program Files\Logitech
2008-03-27 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-27 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-27 22:14 --------- d-----w C:\Program Files\Common Files\logishrd
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-09-19 18:31 13,824 ----a-w C:\Documents and Settings\ALL POWERFUL MOM\atwbxdet.dll
2006-07-19 19:33 1,405,758 ----a-w C:\Program Files\sbwsetup.exe
2005-08-09 23:30 318,775 ----a-w C:\Program Files\CleanUp40.exe
2005-08-09 23:29 1,563 ----a-w C:\Program Files\rdrivRem.zip
2005-08-05 22:36 2,235,542 ----a-w C:\Program Files\tsc.zip
2005-08-04 23:02 468,536 ----a-w C:\Program Files\CWShredder.exe
2005-01-02 02:29 1,605,957 ----a-w C:\Program Files\rts_5a.exe
2004-11-30 01:08 3,053,244 ----a-w C:\Program Files\wlld4.exe
2004-06-08 19:24 256,533 ----a-w C:\Program Files\span.zip
2004-01-05 19:51 3,662,787 ----a-w C:\Program Files\spybotsd12.exe
2003-08-27 19:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
2002-06-06 03:54 56,112 ----a-w C:\Documents and Settings\kERRY'S\pngsetup.exe
.

((((((((((((((((((((((((((((( [email protected]_20.31.29.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 01:26:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 02:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 02:06:02 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 19:48 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 05:40 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"NvCplDaemon"="NvQTwk" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"iTunesHelper"="D:\Program files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2002-06-05 21:54:46 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ELSBLaunch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ELSBLaunch.lnk
backup=C:\WINDOWS\pss\ELSBLaunch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
C:\Program Files\QdrModule\QdrModule16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SUPPORT.COM\\CLIENT\\bin\\tgcmd.exe"=
"D:\\Program files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R2 Seagate Sync Service;Seagate Sync Service;"C:\Program Files\Seagate\Sync\SeaSyncServices.exe" [2007-01-18 13:20]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
S2 ctm;Convar task manager;C:\Program Files\Convar\TaskManager\ctm.exe []
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys [2000-06-20 01:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2003-10-27 21:02:20 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-05-11 23:43:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 13:24:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 13:27:25
ComboFix-quarantined-files.txt 2008-05-24 18:27:14
ComboFix3.txt 2008-05-08 02:11:26
ComboFix2.txt 2008-05-24 01:32:52

Pre-Run: 4,286,599,168 bytes free
Post-Run: 4,270,186,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

191 --- E O F --- 2008-05-16 23:02:54
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good, Combofix is running! So lets feed it a script to kill off the nasties and have a look at some dubious entries.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\avpcc.dll
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\rundll32.vbe

Folder::
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent
C:\Temp\dmpxp32

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-

FileLook::
C:\Program Files\rts_5a.exe

C:\Program Files\wlld4.exe

DirLook::
C:\WINDOWS\system32\polX

C:\WINDOWS\system32\GUI2

C:\WINDOWS\system32\binR

C:\WINDOWS\system32\3036a

C:\WINDOWS\Cache

C:\Program Files\Coupons


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
And let me know how the machine is performing now.

Regards,
RatHat
  • 0

#9
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Combofix and Hijack logs are below.
Questions for you: My daughter's laptop came down with this same thing yesterday. (I think I've fixed it, if not, will post later). The two pcs that have been infected are wired through a router, and the laptop connects wireless to the same router. Is it possible for this to have been transmitted through the router? My husband also connects his business laptop wireless through the router, so I wanted to make sure that could not be causing this problem. Although the 2 pcs shared a flash drive, a possible source of the spreading infection, the laptop did not. The only other connection is that all 3 computers accessed MySpace at some point in the past 2 weeks, which I'm certain could be the culprit.
Second question: should I assume the flash drive I used might be corrupted? Can I "clean" it somehow?

Thanks so much for all your help through this. I've learned a lot.


ComboFix 08-05-24.1 - ALL POWERFUL MOM 2008-05-25 11:59:09.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -5:00]
Running from: C:\Documents and Settings\ALL POWERFUL MOM\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\ALL POWERFUL MOM\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\xxxvideo.hta
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\.zip.1.torrent
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\.zip.torrent
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\dht.dat
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\resume.dat
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\settings.dat
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\uTorrent\settings.dat.old
C:\Temp\dmpxp32
C:\Temp\dmpxp32\sakldsr.log
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\xxxvideo.hta

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 14:53 . 2008-05-24 15:10 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-24 14:53 . 2008-05-24 15:10 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-24 14:52 . 2008-05-24 14:52 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-24 14:52 . 2008-05-24 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 14:52 . 2008-05-25 12:04 872,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-24 14:52 . 2008-05-25 12:04 12,764 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-24 14:52 . 2008-05-25 12:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-24 14:52 . 2008-05-25 12:04 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-24 13:01 . 2008-05-24 13:01 <DIR> d-------- C:\ComboFix
2008-05-24 12:32 . 2008-05-24 12:32 <DIR> d-------- C:\fixwareout
2008-05-23 20:04 . 2008-05-23 20:04 4,122 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 19:18 . 2008-05-23 19:18 <DIR> d-------- C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Malwarebytes
2008-05-23 19:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-23 19:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-23 19:16 . 2008-05-23 19:16 <DIR> d-------- C:\BomboFix
2008-05-23 19:11 . 2008-05-23 19:11 <DIR> d-------- C:\_OTMoveIt
2008-05-23 18:55 . 2008-05-23 18:55 <DIR> d-------- C:\Program Files\ERUNT
2008-05-22 16:16 . 2008-05-18 20:20 401,720 --a------ C:\Program Files\ALL POWERFUL MOM.exe
2008-05-22 16:13 . 2008-05-22 16:13 <DIR> d-------- C:\Deckard
2008-05-22 15:50 . 2008-05-22 15:50 <DIR> d-------- C:\Program Files\backups
2008-05-19 19:51 . 2008-05-19 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 20:13 . 2008-05-18 20:20 401,720 --a------ C:\Program Files\HijackThis.exe
2008-05-18 17:38 . 2008-05-18 17:38 <DIR> d-------- C:\kav
2008-05-18 13:31 . 2001-08-18 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\polX
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\GUI2
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\binR
2008-05-18 13:30 . 2008-05-18 13:30 <DIR> d-------- C:\WINDOWS\system32\3036a
2008-05-18 13:29 . 2008-05-18 13:29 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-04-25 12:52 . 2008-04-25 12:52 <DIR> d-------- C:\WINDOWS\Cache
2008-04-25 12:52 . 2008-04-25 12:52 <DIR> d-------- C:\Program Files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:40 8,279 ----a-w C:\Program Files\hijackthis.log
2008-04-15 15:25 --------- d-----w C:\Program Files\ToniArts
2008-04-10 20:01 --------- d-----w C:\Program Files\Seagate
2008-04-10 19:54 --------- d-----w C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Ceedo
2008-03-27 22:21 --------- d-----w C:\Program Files\Logitech
2008-03-27 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-27 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-27 22:14 --------- d-----w C:\Program Files\Common Files\logishrd
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-09-19 18:31 13,824 ----a-w C:\Documents and Settings\ALL POWERFUL MOM\atwbxdet.dll
2006-07-19 19:33 1,405,758 ----a-w C:\Program Files\sbwsetup.exe
2005-08-09 23:30 318,775 ----a-w C:\Program Files\CleanUp40.exe
2005-08-09 23:29 1,563 ----a-w C:\Program Files\rdrivRem.zip
2005-08-05 22:36 2,235,542 ----a-w C:\Program Files\tsc.zip
2005-08-04 23:02 468,536 ----a-w C:\Program Files\CWShredder.exe
2005-01-02 02:29 1,605,957 ----a-w C:\Program Files\rts_5a.exe
2004-11-30 01:08 3,053,244 ----a-w C:\Program Files\wlld4.exe
2004-06-08 19:24 256,533 ----a-w C:\Program Files\span.zip
2004-01-05 19:51 3,662,787 ----a-w C:\Program Files\spybotsd12.exe
2003-08-27 19:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
2002-06-06 03:54 56,112 ----a-w C:\Documents and Settings\kERRY'S\pngsetup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\rts_5a.exe -- 16-bit executable. Not a PE file.
C:\Program Files\wlld4.exe -- Unable to find file version info.
---- Directory of C:\Program Files\Coupons ----

2008-04-25 12:52 473600 --a------ C:\Program Files\Coupons\uninstall.exe

---- Directory of C:\WINDOWS\Cache ----


---- Directory of C:\WINDOWS\system32\3036a ----


---- Directory of C:\WINDOWS\system32\binR ----


---- Directory of C:\WINDOWS\system32\GUI2 ----


---- Directory of C:\WINDOWS\system32\polX ----



((((((((((((((((((((((((((((( [email protected]_20.31.29.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 01:26:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 17:05:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 17:06:22 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_5e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 19:48 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 05:40 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"iTunesHelper"="D:\Program files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 13:20 190008]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2002-06-05 21:54:46 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ALL POWERFUL MOM^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\ALL POWERFUL MOM\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ELSBLaunch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ELSBLaunch.lnk
backup=C:\WINDOWS\pss\ELSBLaunch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\ALL POWERFUL MOM\Application Data\Microsoft\dtsc\31452.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
C:\Program Files\QdrModule\QdrModule16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SUPPORT.COM\\CLIENT\\bin\\tgcmd.exe"=
"D:\\Program files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\kav\\kis\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R2 Seagate Sync Service;Seagate Sync Service;"C:\Program Files\Seagate\Sync\SeaSyncServices.exe" [2007-01-18 13:20]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
R3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]
S2 ctm;Convar task manager;C:\Program Files\Convar\TaskManager\ctm.exe []
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 OASIS;OASIS;C:\WINDOWS\system32\drivers\oasisusb.sys [2000-06-20 01:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2003-10-27 21:02:20 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-05-11 23:43:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 12:06:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-05-25 12:14:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 17:13:56
ComboFix4.txt 2008-05-08 02:11:26
ComboFix3.txt 2008-05-24 01:32:52
ComboFix2.txt 2008-05-24 18:27:32

Pre-Run: 3,986,923,520 bytes free
Post-Run: 3,983,441,920 bytes free

234 --- E O F --- 2008-05-16 23:02:54

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:09 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194061436484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194063366734
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Convar task manager (ctm) - Unknown owner - C:\Program Files\Convar\TaskManager\ctm.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8071 bytes
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
This computer looks clean now, so lets start with the flash drive.

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

It is very doubtful that the computers are cross infected via the router, unless you have shared network files. Even then it is not that likely, the flash drive and/or MySpace are the most likely culprits.

If your daughters laptop is now showing signs of infection, can you run DSS and post me the logs, and also run a Kaspersky scan, and post me that log, then we can see if it has anything left over from your cleaning.

By the way, what did you use on that computer?

Regards,
RatHat
  • 0

Advertisements


#11
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
To fix the laptop, I downloaded ATF cleaner, plus all the other programs you suggested for my other pc onto a cd, since I couldn't access the internet. I cleaned up the laptop, then ran hijack this and deleted all the lines that were duplicates of what I deleted on my pc. I ran Malwarebytes several times before it ran all the way through. I got the blue screen of death a few times. I ran spybot also. Finally, I was able to get combofix to run, which cleared the desktop and enabled task manager. I'm not sure what else I ran, I did run ERUNT so I could restore the registry if needed. The only thing I don't know how to do is to paste lines into combofix, or even if its needed.
DSS scan and Kapersky scan on the laptop are below.
Once again, thank you very much!

Deckard's System Scanner v20071014.68
Run by Chelsea on 2008-05-26 14:50:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-05-26 19:51:07 UTC - RP640 - Deckard's System Scanner Restore Point
86: 2008-05-25 23:31:58 UTC - RP639 - ComboFix created restore point
85: 2008-05-25 19:56:31 UTC - RP638 - Installed EasyCleaner
84: 2008-05-25 16:49:38 UTC - RP637 - Removed HP Software Update
83: 2008-05-25 16:45:49 UTC - RP636 - Last known good configuration


-- First Restore Point --
1: 2008-05-25 16:44:53 UTC - RP554 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Chelsea.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:24 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\dss.exe
C:\DOCUME~1\CHELSE~1.CLI\Desktop\Chelsea.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.trinity.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: {90f5e0df-7cab-3f59-1854-14289f29c6bc} - {cb6c92f9-8241-4581-95f3-bac7fd0e5f09} - C:\WINDOWS\system32\uhplsigx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 1: Harry Potter and the Order of the Phoenix Movie Countdown - http://www.mugglenet...wn.php?o=july13
O24 - Desktop Component 2: LeakyNews counts down to Order of the Phoenix and Deathly Hallows - http://www.the-leaky...jointcount.html
O24 - Desktop Component 3: MuggleNet.com Desktop Countdown - http://www.mugglenet...top-dhootp.html

--
End of file - 10003 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\CHELSE~1.CLI\Desktop\backups\) --------

backup-20080524-201234-112 O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
backup-20080524-201234-193 O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
backup-20080524-201234-226 O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
backup-20080524-201234-230 O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
backup-20080524-201234-279 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
backup-20080524-201234-324 O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
backup-20080524-201234-331 O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
backup-20080524-201234-339 O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
backup-20080524-201234-374 O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
backup-20080524-201234-398 O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
backup-20080524-201234-432 O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
backup-20080524-201234-446 O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
backup-20080524-201234-462 O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
backup-20080524-201234-479 O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
backup-20080524-201234-507 O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
backup-20080524-201234-529 O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
backup-20080524-201234-702 O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
backup-20080524-201234-727 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
backup-20080524-201234-733 O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
backup-20080524-201234-754 O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
backup-20080524-201234-769 O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
backup-20080524-201234-812 O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
backup-20080524-201234-815 O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
backup-20080524-201234-904 O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
backup-20080524-201234-994 O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-26 07:30:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-26 00:26:12 396 --ah----- C:\WINDOWS\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_CQUINN1_Chelsea.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 09:46:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 09:09:08 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-26 09:09:08 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-26 09:09:08 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-26 09:09:08 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-26 09:09:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-26 09:09:08 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-26 09:09:08 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-26 09:09:08 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-25 20:17:54 0 d-------- C:\Program Files\Panda Security
2008-05-25 17:14:54 100608 --a------ C:\WINDOWS\system32\uhplsigx.dll
2008-05-25 15:35:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 15:35:10 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-25 15:29:07 100608 --a------ C:\WINDOWS\system32\nihsmjar.dll
2008-05-25 15:26:54 90896 --a------ C:\WINDOWS\system32\rqmocqtu.dll
2008-05-25 15:19:50 100608 --a------ C:\WINDOWS\system32\knxrucpu.dll
2008-05-25 15:17:34 90896 --a------ C:\WINDOWS\system32\bbmwgxev.dll
2008-05-25 14:59:47 0 dr-h----- C:\Documents and Settings\Chelsea.CLIFFORD\Recent
2008-05-25 14:56:36 0 d-------- C:\Program Files\ToniArts
2008-05-25 11:56:31 0 d-------- C:\VundoFix Backups
2008-05-25 11:50:42 100608 --a------ C:\WINDOWS\system32\rplnoktf.dll
2008-05-25 11:46:59 90896 --a------ C:\WINDOWS\system32\logfmvup.dll
2008-05-25 10:42:00 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-24 22:14:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-24 20:27:56 0 d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Malwarebytes
2008-05-24 20:15:59 68096 --a------ C:\WINDOWS\zip.exe
2008-05-24 20:15:59 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-24 20:15:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-24 20:15:59 98816 --a------ C:\WINDOWS\sed.exe
2008-05-24 20:15:59 80412 --a------ C:\WINDOWS\grep.exe
2008-05-24 20:15:59 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-24 20:15:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-24 20:15:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-24 17:59:03 31488 --a------ C:\WINDOWS\xplugin.dll
2008-05-24 17:59:00 13568 --a------ C:\WINDOWS\time.exe
2008-05-24 17:58:59 22528 --a------ C:\WINDOWS\svcinit.exe
2008-05-24 17:58:59 12032 --a------ C:\WINDOWS\svchost32.exe
2008-05-24 17:58:58 19200 --a------ C:\WINDOWS\searchword.dll
2008-05-24 17:58:58 21504 --a------ C:\WINDOWS\rundll16.exe
2008-05-24 17:58:57 12800 --a------ C:\WINDOWS\quicken.exe
2008-05-24 17:58:57 21248 --a------ C:\WINDOWS\qttasks.exe
2008-05-24 17:58:56 29952 --a------ C:\WINDOWS\mswsc20.dll
2008-05-24 17:58:56 25600 --a------ C:\WINDOWS\mswsc10.dll
2008-05-24 17:58:55 15872 --a------ C:\WINDOWS\msspi.dll
2008-05-24 17:58:55 18688 --a------ C:\WINDOWS\msconfd.dll
2008-05-24 17:58:54 29440 --a------ C:\WINDOWS\internet.exe
2008-05-24 17:58:54 26112 --a------ C:\WINDOWS\inetinf.exe
2008-05-24 17:58:53 18176 --a------ C:\WINDOWS\helpcvs.exe
2008-05-24 17:58:53 25344 --a------ C:\WINDOWS\gfmnaaa.dll
2008-05-24 17:58:53 25600 --a------ C:\WINDOWS\funny.exe
2008-05-24 17:58:52 22272 --a------ C:\WINDOWS\funniest.exe
2008-05-24 17:58:52 13312 --a------ C:\WINDOWS\explorer32.exe
2008-05-24 17:58:52 8192 --a------ C:\WINDOWS\editpad.exe
2008-05-24 17:58:52 13568 --a------ C:\WINDOWS\dnsrelay.dll
2008-05-24 17:58:52 25600 --a------ C:\WINDOWS\directx32.exe
2008-05-24 17:58:51 25344 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-24 17:58:51 16896 --a------ C:\WINDOWS\cpan.dll
2008-05-24 17:40:37 0 d-------- C:\WINDOWS\system32\vntiho06
2008-05-24 17:39:45 4 --a------ C:\WINDOWS\system32\hljwugsf.bin


-- Find3M Report ---------------------------------------------------------------

2008-05-26 10:48:46 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-26 09:46:57 0 d-------- C:\Program Files\Common Files
2008-05-25 14:56:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-25 11:49:51 0 d-------- C:\Program Files\HP
2008-05-25 10:52:58 0 d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Corel
2008-05-25 10:52:43 0 d-------- C:\Program Files\Common Files\Corel
2008-05-25 10:52:42 0 d-------- C:\Program Files\Corel
2008-05-24 23:00:28 0 d-------- C:\Program Files\Google
2008-05-24 22:48:31 0 d-------- C:\Program Files\BearShare
2008-05-21 08:28:17 0 d-------- C:\Program Files\Dl_cats
2008-05-07 03:30:48 0 d-------- C:\Program Files\Easy CD-DA Extractor 9
2008-04-29 08:12:39 0 d-------- C:\Program Files\Apple Software Update
2008-04-25 13:54:28 0 d-------- C:\Program Files\iTunes
2008-04-25 13:52:44 0 d-------- C:\Program Files\iPod
2008-04-25 13:40:05 0 d-------- C:\Program Files\QuickTime
2008-04-23 16:08:39 0 d-------- C:\Program Files\Jasc Software Inc
2008-04-23 16:08:39 0 d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Jasc Software Inc
2008-04-23 16:02:49 0 d-------- C:\Program Files\LimeWire
2008-04-23 15:52:23 0 d-------- C:\Program Files\Ares
2008-04-23 15:51:39 0 d-------- C:\Program Files\Common Files\AOL
2008-04-22 14:06:54 0 d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\LimeWire
2008-04-22 07:39:12 3922 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-22 07:39:04 88 -r-hs---- C:\WINDOWS\system32\33832E4FD8.sys
2008-04-12 14:16:57 0 d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb6c92f9-8241-4581-95f3-bac7fd0e5f09}]
05/25/2008 05:14 PM 100608 --a------ C:\WINDOWS\system32\uhplsigx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 04:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/24/2006 05:14 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/15/2006 01:40 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [09/14/2005 08:50 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/11/2007 05:14 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/08/2007 01:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"WUAppSetup"=C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 10.5.1.2023

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ucJ18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Chelsea.CLIFFORD^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch DcomLaunch




-- End of Deckard's System Scanner: finished at 2008-05-26 14:54:13 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel® CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1014.37 MiB / 524.25 MiB
Pagefile Memory (total/avail): 2441.28 MiB / 2092.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.13 MiB

C: is Fixed (NTFS) - 87.06 GiB total, 14.16 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100BH - 91.76 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 87.06 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Chelsea.CLIFFORD\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CQUINN1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Chelsea.CLIFFORD
LOGONSERVER=\\CQUINN1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHELSE~1.CLI\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHELSE~1.CLI\LOCALS~1\Temp
USERDOMAIN=CQUINN1
USERNAME=Chelsea
USERPROFILE=C:\Documents and Settings\Chelsea.CLIFFORD
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Chelsea.CLIFFORD (admin)
Administrator.CLIFFORD (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7875FD9-6ADB-4D4B-A756-3A2306A3D5E1}\setup.exe" -l0x9 anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0 --> msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Alarm 2.0.0 --> "C:\Program Files\Alarm\unins000.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcSoft Camera Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{350C338E-7304-44DC-BCE7-F14A25EB1665}\Setup.exe" -l0x9
ArcSoft PhotoImpression 5 (Shared Components) --> C:\Program Files\Common Files\element5 Shared\Uninstall\ArcSoft PhotoImpression 5\B2252000\UninstApplet.exe /uninstall
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Cisco Clean Access Agent --> MsiExec.exe /X{41C18715-AFF0-49E9-B940-287A50532D33}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
CtraxAX --> C:\PROGRA~1\Cdigix\CtraxAX\UNWISE.EXE /U C:\PROGRA~1\Cdigix\CtraxAX\INSTALL.LOG
Dell Photo AIO Printer 924 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlccUNST.EXE -NOLICENSE
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DesignPro 5.0 Media Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDF1085A-73FF-4B3B-8726-2A403D400E48}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD to VCD AVI DivX Converter v3.2 (build 062) --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Easy CD-DA Extractor 9.1.3 --> "C:\WINDOWS\Easy CD-DA Extractor\uninstall.exe" "/U:C:\Program Files\Easy CD-DA Extractor 9\irunin.xml"
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
Eyeball Chat 2.2 --> C:\PROGRA~1\Eyeball\EYEBAL~1\UNWISE.EXE C:\PROGRA~1\Eyeball\EYEBAL~1\INSTALL.LOG
Finale Allegro 2005 --> C:\WINDOWS\unvise32.exe C:\Program Files\Finale Allegro 2005\uninstal.log
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "D:\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam --> MsiExec.exe /X{7D2370AC-D8E6-4996-986A-19824F8A167C}
Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Web Components --> MsiExec.exe /I{002C9999-0000-0000-C000-000000000112}
Microsoft Plus! Dancer LE --> MsiExec.exe /X{1A103D70-5C9B-4E1A-B306-5106C68F9914}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Chelsea\Application Data\Move Networks\ie_bin\unins000.exe"
MS Access 97 SP2 --> C:\Program Files\Microsoft Office\setup\setup.exe
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Nero PhotoShow Express --> "C:\Program Files\Nero\data\Xtras\Uninstall.exe"
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NeroMIX --> C:\WINDOWS\UNNMIX.exe /UNINSTALL
Netscape Internet Service --> C:\Program Files\Netscape Internet Service\install.exe -r {FFC3B772-C00A-42da-90A6-A87F4AFD73D9}
Netscape Web Accelerator --> C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\accinst.exe -r {FFC3B772-C00A-42da-90A6-A87F4AFD73E0}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PrintMaster Gold 3.00 --> c:\pmw\msrun.exe
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SimCity 3000 Unlimited --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000 Unlimited\DeIsL1.isu" -c"C:\Program Files\Maxis\SimCity 3000 Unlimited\_UnInstall.dll"
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}
The Sims Deluxe Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.exe" -l0009
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimsptsk_469677EEC4F8D39ABD61046D242B2A1651DE8AEF\rimsptsk.inf
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimmptsk_EA24AF82DAB6BA6CF6FB1A3004EE91F51D3FDCF9\rimmptsk.inf
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rixdptsk_30B42BE4DA4D11DB80E5D3DD10180621BA0A53DD\rixdptsk.inf
Windows Messenger 5.1 --> MsiExec.exe /I{9D1C26BD-E792-4159-9D16-07EA222D8EF0}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type22135 / Error
Event Submitted/Written: 05/26/2008 02:32:07 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type22134 / Error
Event Submitted/Written: 05/26/2008 02:22:11 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type22133 / Error
Event Submitted/Written: 05/26/2008 00:37:07 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type22132 / Error
Event Submitted/Written: 05/26/2008 00:26:11 PM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

Event Record #/Type22125 / Error
Event Submitted/Written: 05/26/2008 10:47:11 AM
Event ID/Source: 1090 / Userenv
Event Description:
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type45155 / Error
Event Submitted/Written: 05/26/2008 10:18:25 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type45154 / Error
Event Submitted/Written: 05/26/2008 09:10:15 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type45153 / Error
Event Submitted/Written: 05/26/2008 09:08:29 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type45152 / Error
Event Submitted/Written: 05/26/2008 08:57:53 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type45151 / Error
Event Submitted/Written: 05/26/2008 08:57:00 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
APPDRV
ASPI32
eeCtrl
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SAVRT
SAVRTPEL
SPBBCDrv
SYMTDI
Tcpip



-- End of Deckard's System Scanner: finished at 2008-05-26 14:54:13 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 10:13:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 801091
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 151989
Number of viruses found: 18
Number of infected objects: 25
Number of suspicious objects: 20
Duration of the scan process: 06:13:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d69c0b795a52856cff41745048d750f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll1.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOW
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You did well, maybe you should join our GeekU and learn how to really clean a machine!

Ok, the Kaspersky log has been cut short, could you post it again please. Also could you post me the Combofix log from this machine.

Regards,
RatHat
  • 0

#13
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks Rathat! Between this and work, I'm learning more than I ever wanted to about computers.

The entire Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 10:13:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 801091
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 151989
Number of viruses found: 18
Number of infected objects: 25
Number of suspicious objects: 20
Duration of the scan process: 06:13:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d69c0b795a52856cff41745048d750f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll1.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05CC0000\4DEFE394.VBN Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000\4AF89AEA.VBN/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000\4AF89AEA.VBN/stream Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000\4AF89AEA.VBN NSIS: infected - 2 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00000\4AF89AEA.VBN CryptZ: infected - 2 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00003\4AF89B22.VBN Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00004\4AF89B2E.VBN Infected: Trojan-Downloader.Win32.Mutant.yf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD00005\4AF89D25.VBN Infected: Trojan-Dropper.Win32.Agent.ror skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Aim\qxoprgfs\sweetiepie051688\cert8.db Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Aim\qxoprgfs\sweetiepie051688\key3.db Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbdam Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbdao Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbeam Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbeao Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbm Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\fii.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\fim1i.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\fim1ih.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\hp Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Google\Google Desktop\11d80ae9235d\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Temp\~DF7FDA.tmp Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chelsea.CLIFFORD\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0338NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0343NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\catchme2008-05-24_231445.56.zip/clbdriver.sys Infected: Rootkit.Win32.Agent.aol skipped
C:\QooBox\Quarantine\catchme2008-05-24_231445.56.zip/clbdll.dll Infected: Trojan-Downloader.Win32.Agent.qpw skipped
C:\QooBox\Quarantine\catchme2008-05-24_231445.56.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP596\A0088492.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP596\A0088495.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101036.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101040.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101043.exe Infected: not-virus:Hoax.Win32.Renos.coh skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101045.exe Infected: Trojan-Downloader.Win32.Agent.plz skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101046.exe Infected: Backdoor.Win32.Agent.ity skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101048.exe Infected: Trojan-Downloader.Win32.Small.wbx skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101049.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP632\A0101049.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DDCBA15B-7EB1-4691-A601-165EF3717EB8}\RP640\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\W3SVC1\ex080527.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

This is the last combofix log I ran:


ComboFix 08-05-24.1 - Chelsea 2008-05-25 18:34:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -5:00]
Running from: C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\buildbu.bat
C:\WINDOWS\BMdb7f29e6.xml
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\DMUtCJjl.ini
C:\WINDOWS\system32\DMUtCJjl.ini2
C:\WINDOWS\system32\ljJCtUMD.dll
C:\WINDOWS\system32\ltyrlahw.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 17:14 . 2008-05-25 17:14 100,608 --a------ C:\WINDOWS\system32\uhplsigx.dll
2008-05-25 17:11 . 83,232 C:\WINDOWS\system32\tkmmmjtp.dll
2008-05-25 15:35 . 2008-05-25 15:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 15:35 . 2008-05-25 15:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-25 15:35 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 15:35 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 15:29 . 2008-05-25 15:29 100,608 --a------ C:\WINDOWS\system32\nihsmjar.dll
2008-05-25 15:26 . 2008-05-25 15:26 90,896 --a------ C:\WINDOWS\system32\rqmocqtu.dll
2008-05-25 15:19 . 2008-05-25 15:19 100,608 --a------ C:\WINDOWS\system32\knxrucpu.dll
2008-05-25 15:17 . 2008-05-25 15:17 90,896 --a------ C:\WINDOWS\system32\bbmwgxev.dll
2008-05-25 14:56 . 2008-05-25 14:56 <DIR> d-------- C:\Program Files\ToniArts
2008-05-25 11:56 . 2008-05-25 11:56 <DIR> d-------- C:\VundoFix Backups
2008-05-25 11:50 . 2008-05-25 11:50 100,608 --a------ C:\WINDOWS\system32\rplnoktf.dll
2008-05-25 11:46 . 2008-05-25 11:47 90,896 --a------ C:\WINDOWS\system32\logfmvup.dll
2008-05-25 10:42 . 2008-05-25 10:43 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-25 10:20 . 2008-05-25 10:20 26,368 --a------ C:\WINDOWS\y.exe
2008-05-25 10:20 . 2008-05-25 10:20 16,640 --a------ C:\WINDOWS\x.exe
2008-05-24 22:54 . 2008-05-25 15:32 19,200 --a------ C:\WINDOWS\mtwirl32.dll
2008-05-24 22:54 . 2008-05-24 22:54 18,176 --a------ C:\WINDOWS\astctl32.ocx
2008-05-24 22:54 . 2008-05-24 22:54 15,872 --a------ C:\WINDOWS\clrssn.exe
2008-05-24 22:54 . 2008-05-24 22:54 14,080 --a------ C:\WINDOWS\systeem.exe
2008-05-24 22:54 . 2008-05-24 22:54 13,824 --a------ C:\WINDOWS\winajbm.dll
2008-05-24 22:52 . 2008-05-24 22:52 21,760 --a------ C:\WINDOWS\waol.exe
2008-05-24 22:52 . 2008-05-24 22:52 20,992 --a------ C:\WINDOWS\olehelp.exe
2008-05-24 22:52 . 2008-05-24 22:52 15,360 --a------ C:\WINDOWS\win32e.exe
2008-05-24 22:52 . 2008-05-24 22:52 13,824 --a------ C:\WINDOWS\accesss.exe
2008-05-24 22:52 . 2008-05-24 22:52 12,800 --a------ C:\WINDOWS\xxxvideo.hta
2008-05-24 22:52 . 2008-05-24 22:52 12,288 --a------ C:\WINDOWS\systemcritical.exe
2008-05-24 22:50 . 2008-05-25 15:32 22,528 --a------ C:\WINDOWS\avpcc.dll
2008-05-24 22:50 . 2008-05-24 22:50 19,968 --a------ C:\WINDOWS\users32.exe
2008-05-24 22:50 . 2008-05-24 22:50 15,616 --a------ C:\WINDOWS\window.exe
2008-05-24 22:50 . 2008-05-24 22:50 8,192 --a------ C:\WINDOWS\winmgnt.exe
2008-05-24 22:48 . 2008-05-24 22:48 27,904 --a------ C:\WINDOWS\iedll.exe
2008-05-24 22:48 . 2008-05-24 22:48 26,880 --a------ C:\WINDOWS\msupdate.exe
2008-05-24 22:48 . 2008-05-24 22:48 23,296 --a------ C:\WINDOWS\mssys.exe
2008-05-24 22:48 . 2008-05-24 22:48 22,528 --a------ C:\WINDOWS\loader.exe
2008-05-24 22:48 . 2008-05-25 15:32 12,032 --a------ C:\WINDOWS\notepad32.exe
2008-05-24 22:14 . 2008-05-24 22:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 22:14 . 2008-05-24 22:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-24 21:36 . 2008-05-25 15:32 26,112 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-24 21:36 . 2008-05-25 15:32 14,848 --a------ C:\WINDOWS\sistem.exe
2008-05-24 20:27 . 2008-05-24 20:27 <DIR> d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Malwarebytes
2008-05-24 20:13 . 2008-05-24 20:13 <DIR> d-------- C:\Program Files\ERUNT
2008-05-24 17:59 . 2008-05-24 17:59 31,488 --a------ C:\WINDOWS\xplugin.dll
2008-05-24 17:59 . 2008-05-24 22:52 14,848 --a------ C:\WINDOWS\win64.exe
2008-05-24 17:59 . 2008-05-24 17:59 13,568 --a------ C:\WINDOWS\time.exe
2008-05-24 17:41 . 2008-05-24 18:18 78,378 --a------ C:\WINDOWS\system32\spywarewarning2.mht
2008-05-24 17:40 . 2008-05-24 17:40 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-24 17:40 . 2008-05-24 17:40 <DIR> d-------- C:\Temp\vtmp2
2008-05-24 17:40 . 26,384 C:\WINDOWS\system32\ljJBsqQk.dll
2008-05-24 17:40 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-24 17:39 . 2008-05-24 17:39 4 --a------ C:\WINDOWS\system32\hljwugsf.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 23:59 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-25 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 16:49 --------- d-----w C:\Program Files\HP
2008-05-25 15:52 --------- d-----w C:\Program Files\Corel
2008-05-25 15:52 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-25 15:52 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Corel
2008-05-25 04:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-05-25 04:00 --------- d-----w C:\Program Files\Google
2008-05-25 03:48 --------- d-----w C:\Program Files\BearShare
2008-05-21 13:28 --------- d-----w C:\Program Files\Dl_cats
2008-05-07 08:30 --------- d-----w C:\Program Files\Easy CD-DA Extractor 9
2008-04-29 13:12 --------- d-----w C:\Program Files\Apple Software Update
2008-04-25 18:54 --------- d-----w C:\Program Files\iTunes
2008-04-25 18:52 --------- d-----w C:\Program Files\iPod
2008-04-25 18:40 --------- d-----w C:\Program Files\QuickTime
2008-04-23 21:08 --------- d-----w C:\Program Files\Jasc Software Inc
2008-04-23 21:08 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Jasc Software Inc
2008-04-23 21:02 --------- d-----w C:\Program Files\LimeWire
2008-04-23 20:52 --------- d-----w C:\Program Files\Ares
2008-04-23 20:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-23 20:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-04-22 19:06 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\LimeWire
2008-04-12 19:16 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\U3
2002-05-18 08:07 54,348 ----a-w C:\Documents and Settings\Chelsea.CLIFFORD\DAMN_DivX502_kg.exe
2002-05-17 15:02 3,561,039 ----a-w C:\Documents and Settings\Chelsea.CLIFFORD\DivXPro502Bundle.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb6c92f9-8241-4581-95f3-bac7fd0e5f09}]
2008-05-25 17:14 100608 --a------ C:\WINDOWS\system32\uhplsigx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 08:50 73728]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-11 17:14 1836544]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12 488984]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-26 01:26 171448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 16:17 435736]

C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ucJ18.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chelsea.CLIFFORD^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-02-08 01:13 774168 C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-02-10 17:00 1937408 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2004-11-11 20:50 212992 C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-09-09 10:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 12:30:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-25 05:26:11 C:\WINDOWS\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_CQUINN1_Chelsea.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 19:00:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2008-05-25 19:13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 00:13:01
ComboFix2.txt 2008-05-25 15:25:47

Pre-Run: 15,413,620,736 bytes free
Post-Run: 15,410,028,544 bytes free

228 --- E O F --- 2008-05-16 13:49:22
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\uhplsigx.dll
C:\WINDOWS\system32\tkmmmjtp.dll
C:\WINDOWS\system32\nihsmjar.dll
C:\WINDOWS\system32\rqmocqtu.dll
C:\WINDOWS\system32\knxrucpu.dll
C:\WINDOWS\system32\bbmwgxev.dll
C:\WINDOWS\system32\rplnoktf.dll
C:\WINDOWS\system32\logfmvup.dll
C:\WINDOWS\y.exe
C:\WINDOWS\x.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\clrssn.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\waol.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\accesss.exe
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\users32.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\win64.exe
C:\WINDOWS\time.exe
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\ljJBsqQk.dll

Folder::
C:\Temp\vtmp2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb6c92f9-8241-4581-95f3-bac7fd0e5f09}]

DirLook::
C:\WINDOWS\system32\vntiho06


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply and let me know how the computer is performing now.

Regards,
RatHat
  • 0

#15
mdcbk

mdcbk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
All computers appear to be running just fine now. Can't thank's you enough!

Here's the latest combofix log:

ComboFix 08-05-24.1 - Chelsea 2008-05-28 7:00:05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -5:00]
Running from: C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chelsea.CLIFFORD\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\iedll.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\sistem.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\bbmwgxev.dll
C:\WINDOWS\system32\knxrucpu.dll
C:\WINDOWS\system32\ljJBsqQk.dll
C:\WINDOWS\system32\logfmvup.dll
C:\WINDOWS\system32\nihsmjar.dll
C:\WINDOWS\system32\rplnoktf.dll
C:\WINDOWS\system32\rqmocqtu.dll
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\tkmmmjtp.dll
C:\WINDOWS\system32\uhplsigx.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\vtmp2
C:\WINDOWS\system32\bbmwgxev.dll
C:\WINDOWS\system32\knxrucpu.dll
C:\WINDOWS\system32\logfmvup.dll
C:\WINDOWS\system32\nihsmjar.dll
C:\WINDOWS\system32\rplnoktf.dll
C:\WINDOWS\system32\rqmocqtu.dll
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\uhplsigx.dll
C:\WINDOWS\time.exe
C:\WINDOWS\xplugin.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-26 15:08 . 2008-05-26 15:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 15:08 . 2008-05-26 15:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-26 14:50 . 2008-05-26 14:50 <DIR> d-------- C:\Deckard
2008-05-26 09:46 . 2008-05-26 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 09:09 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-26 09:09 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-26 09:09 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-26 09:09 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-26 09:09 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-26 09:09 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-26 09:09 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-26 09:09 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-25 20:17 . 2008-05-25 20:18 <DIR> d-------- C:\Program Files\Panda Security
2008-05-25 15:35 . 2008-05-25 15:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 15:35 . 2008-05-25 15:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-25 15:35 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 15:35 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 14:56 . 2008-05-25 14:56 <DIR> d-------- C:\Program Files\ToniArts
2008-05-25 11:56 . 2008-05-25 11:56 <DIR> d-------- C:\VundoFix Backups
2008-05-25 10:42 . 2008-05-25 19:29 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-24 22:14 . 2008-05-24 22:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 22:14 . 2008-05-24 22:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-24 20:27 . 2008-05-24 20:27 <DIR> d-------- C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Malwarebytes
2008-05-24 20:13 . 2008-05-24 20:13 <DIR> d-------- C:\Program Files\ERUNT
2008-05-24 17:40 . 2008-05-24 17:40 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-24 17:40 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-24 17:39 . 2008-05-24 17:39 4 --a------ C:\WINDOWS\system32\hljwugsf.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 11:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-25 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 16:49 --------- d-----w C:\Program Files\HP
2008-05-25 15:52 --------- d-----w C:\Program Files\Corel
2008-05-25 15:52 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-25 15:52 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Corel
2008-05-25 04:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-05-25 04:00 --------- d-----w C:\Program Files\Google
2008-05-25 03:48 --------- d-----w C:\Program Files\BearShare
2008-05-21 13:28 --------- d-----w C:\Program Files\Dl_cats
2008-05-07 08:30 --------- d-----w C:\Program Files\Easy CD-DA Extractor 9
2008-04-29 13:12 --------- d-----w C:\Program Files\Apple Software Update
2008-04-25 18:54 --------- d-----w C:\Program Files\iTunes
2008-04-25 18:52 --------- d-----w C:\Program Files\iPod
2008-04-25 18:40 --------- d-----w C:\Program Files\QuickTime
2008-04-23 21:08 --------- d-----w C:\Program Files\Jasc Software Inc
2008-04-23 21:08 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\Jasc Software Inc
2008-04-23 21:02 --------- d-----w C:\Program Files\LimeWire
2008-04-23 20:52 --------- d-----w C:\Program Files\Ares
2008-04-23 20:51 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-23 20:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-04-22 19:06 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\LimeWire
2008-04-22 12:39 3,922 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-12 19:16 --------- d-----w C:\Documents and Settings\Chelsea.CLIFFORD\Application Data\U3
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2002-05-18 08:07 54,348 ----a-w C:\Documents and Settings\Chelsea.CLIFFORD\DAMN_DivX502_kg.exe
2002-05-17 15:02 3,561,039 ----a-w C:\Documents and Settings\Chelsea.CLIFFORD\DivXPro502Bundle.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\vntiho06 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 08:50 73728]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-11 17:14 1836544]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12 488984]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-26 01:26 171448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 16:17 435736]

C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ucJ18.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chelsea.CLIFFORD^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\Chelsea.CLIFFORD\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-02-08 01:13 774168 C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-02-10 17:00 1937408 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2004-11-11 20:50 212992 C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-09-09 10:51]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 12:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 05:26:02 C:\WINDOWS\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_CQUINN1_Chelsea.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 07:05:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 7:10:40
ComboFix-quarantined-files.txt 2008-05-28 12:10:29
ComboFix2.txt 2008-05-26 00:13:08
ComboFix3.txt 2008-05-25 15:25:47

Pre-Run: 15,034,343,424 bytes free
Post-Run: 15,048,073,216 bytes free

226 --- E O F --- 2008-05-16 13:49:22
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP