Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help! "SpySpider" & trojans!

Started by Breaku , May 19 2008 01:58 PM

Please log in to reply

#1
Breaku

Posted 19 May 2008 - 01:58 PM

Member

Member
16 posts

Alright, I have three elementary school brothers who share two computers. Naturally, they're computer retarded and tend to get alot of spyware, and an occasional virus. Normally, I scan one computer each day, and doing so manages to keep them clean. Unfortunaltey, I was out of town for two weeks, and now one of their computers is... trashed. Several Viruses and perhaps a ton of spyware. When I try to scan for either, I get popup after popup until the computer freezes.

Can anyone help me clean up this PC?

EDIT: I managed to get half a virus scan before popups crashed the PC, one of the infected files is "Launchurl.exe". And of course, the virus scanning program is unable to repair the infected file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:09 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AntispySpider] C:\Program Files\AntispySpider\antispyspider.exe
O4 - HKLM\..\Run: [f023c42c] rundll32.exe "C:\WINDOWS\system32\fpvyaysu.dll",b
O4 - HKLM\..\Run: [BMf310f7b0] Rundll32.exe "C:\WINDOWS\system32\hymmwckm.dll",s
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Systray] rundll32.exe sockins32.dll,RunMain
O4 - HKCU\..\Policies\Explorer\Run: [odeesv] C:\WINDOWS\system32\odeesv.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.worldofwa...qiraj-1024x.jpg
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 10060 bytes

Edited by Breaku, 19 May 2008 - 02:15 PM.

#2
Tal

Posted 24 May 2008 - 04:05 AM

Trusted Helper

Retired Staff
2,138 posts

Hello Breaku, welcome to GeeksToGo!

I'm sorry for the delay in getting back to you - our helpers have been very busy.

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

Let's see what we can do to clean up the PC

Step1 : Searching with SmitFraudFix

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Step2 : Correcting entries with HijackThis
Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O4 - HKLM\..\Run: [AntispySpider] C:\Program Files\AntispySpider\antispyspider.exe
O4 - HKLM\..\Run: [f023c42c] rundll32.exe "C:\WINDOWS\system32\fpvyaysu.dll",b
O4 - HKLM\..\Run: [BMf310f7b0] Rundll32.exe "C:\WINDOWS\system32\hymmwckm.dll",s
O4 - HKCU\..\Run: [Systray] rundll32.exe sockins32.dll,RunMain
O4 - HKCU\..\Policies\Explorer\Run: [odeesv] C:\WINDOWS\system32\odeesv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step3 : Moving bad files

Please download the OTMoveIt2 by OldTimer. Please note: If you already have OTMoveIt on your system, please replace it with this newer version.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\AntispySpider
C:\WINDOWS\system32\fpvyaysu.dll
C:\WINDOWS\system32\hymmwckm.dll
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\odeesv.exe
C:\WINDOWS\b2new.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step4 : Updating Java

Your Java is very outdated. Let's update it to help protect your computer from security holes in older versions of Java.

Upgrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Step5 : Scanning with DSS

To help me take a better look at what's going on inside your computer, let's run DSS.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

Summary

In your next reply, please include the following:

SmitFraudFix log;
OTMoveIt log;
DSS main.txt and extra.txt (split to two posts)

Regards,

Tal

Edited by Tal, 24 May 2008 - 04:06 AM.

#3
Breaku

Posted 24 May 2008 - 09:48 AM

Member

Topic Starter
Member
16 posts

Thanks for the help, but I've hit a few speed bumps while trying to follow your directions.

First, during the SmitFraudFix scan, the message "Registry Edits have been disabled by the Administrator" popped up several times. How do I enable them? Here's the long never the less:

SmitFraudFix v2.322

Scan done at 11:20:56.40, Sat 05/24/2008
Run from C:\Documents and Settings\CurtFess\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\logo.gif FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CurtFess

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\CurtFess\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CurtFess\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
"OldUserinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 205.152.144.23
DNS Server Search Order: 205.152.37.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{30A07809-6442-40A0-9178-D2AF120C61F3}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFF8BFD1-1A55-4C9F-ABBC-3DE992BE11F9}: DhcpNameServer=205.152.144.23 205.152.37.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{30A07809-6442-40A0-9178-D2AF120C61F3}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{30A07809-6442-40A0-9178-D2AF120C61F3}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EFF8BFD1-1A55-4C9F-ABBC-3DE992BE11F9}: DhcpNameServer=205.152.144.23 205.152.37.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.144.23 205.152.37.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=205.152.144.23 205.152.37.23

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

The lack of registry edits prevented me from removing some of the things in Hijackthis as well. It also seems like they managed to get a few more viruses during the past four days. Here is an updated Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:41 AM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E59EBEF-0666-4122-B6B5-105068F15D0E} - C:\WINDOWS\system32\cbXOFvVm.dll (file missing)
O2 - BHO: (no name) - {0F5AE548-F131-45DA-8C6F-32EBEB174AE1} - C:\WINDOWS\system32\mlJyAQKB.dll
O2 - BHO: (no name) - {1F6CC0D3-565F-482D-A044-AD45FC9C0814} - C:\WINDOWS\system32\urqOExuT.dll
O2 - BHO: (no name) - {251AA008-BD0A-4C66-B81F-52DBE4108918} - C:\WINDOWS\system32\qoMfdaYq.dll (file missing)
O2 - BHO: {8550b3b7-eaaf-7259-6ac4-f5de42d32373} - {37323d24-ed5f-4ca6-9527-faae7b3b0558} - C:\WINDOWS\system32\nqmafasx.dll
O2 - BHO: (no name) - {377B2634-D458-48B6-98D5-D9E1199F462F} - C:\WINDOWS\system32\jkkjJBUm.dll (file missing)
O2 - BHO: (no name) - {5B9A2BC5-2243-4EC7-A605-584ACB9356CA} - C:\WINDOWS\system32\opnolLcB.dll (file missing)
O2 - BHO: (no name) - {63371012-F68E-40A5-8D82-99257305308B} - C:\WINDOWS\system32\xxyvusQH.dll (file missing)
O2 - BHO: (no name) - {6AAC6353-ED33-53CC-D575-66557B87733D} - C:\WINDOWS\system32\vfsa.dll (file missing)
O2 - BHO: (no name) - {72FF9E18-AA28-47A4-954F-89857328EC80} - C:\WINDOWS\system32\cbXNGXPH.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7EE573EC-502B-4527-86B9-5F5E649BEA00} - C:\WINDOWS\system32\opnnooop.dll (file missing)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: (no name) - {8365396B-25C1-440B-AEB3-3E8122D71938} - C:\WINDOWS\system32\ljJBroLc.dll (file missing)
O2 - BHO: (no name) - {A75B1E37-87F9-DF22-8248-891DF24644C3} - C:\WINDOWS\system32\pybiluq.dll (file missing)
O2 - BHO: (no name) - {A8E8C748-56DD-7D23-8C49-0FC5490D10E7} - C:\WINDOWS\system32\sjfxqbn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AE603669-3A5F-4C25-A85D-FF91E7EE01A9} - C:\WINDOWS\system32\byXPFYQg.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B7CDDC68-4BAE-4F95-A3B3-7B6C168F0B30} - C:\WINDOWS\system32\qoMccYSK.dll (file missing)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\opnoNeFV.dll
O2 - BHO: (no name) - {D744DA6E-16D6-4D62-8F9D-E756C9A88430} - C:\WINDOWS\system32\rqRKCVPh.dll (file missing)
O2 - BHO: (no name) - {D869F825-3467-4976-852A-5BA4D2E31AD7} - C:\WINDOWS\system32\pmnnLeFU.dll (file missing)
O2 - BHO: (no name) - {D928D6B9-4949-4669-BEA0-021F735308EE} - C:\WINDOWS\system32\tuvVOFxw.dll (file missing)
O2 - BHO: (no name) - {FC00DD52-AF6E-4422-9110-586D5DAE7141} - C:\WINDOWS\system32\ljJYSlkj.dll (file missing)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [f023c42c] rundll32.exe "C:\WINDOWS\system32\ukorhpti.dll",b
O4 - HKLM\..\Run: [BMf310f7b0] Rundll32.exe "C:\WINDOWS\system32\svoblpdb.dll",s
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [odeesv] C:\WINDOWS\system32\odeesv.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: opnoNeFV - C:\WINDOWS\SYSTEM32\opnoNeFV.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.worldofwa...qiraj-1024x.jpg
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 12073 bytes

Edited by Breaku, 24 May 2008 - 09:49 AM.

#4
Tal

Posted 24 May 2008 - 10:00 AM

Trusted Helper

Retired Staff
2,138 posts

Indeed, your brothers have infected the machine with the newest variant of Vundo. It doesn't have an automated fix yet. It's going to be a bit of a problem cleaning up the machine if the infections keep getting back, perhaps it's a good idea to try and explain them the dangers of spyware.

As for the registry tools being disabled... This shouldn't matter to HijackThis. Did you get a certain error? We'll try doing this differently. Also, you have not followed my instructions and didn't scan with DSS. I need the DSS log to get the required info to remove that Vundo variant and see what's going on inside, so please scan with DSS and reply with the logs

Tal.

#5
Breaku

Posted 24 May 2008 - 10:58 AM

Member

Topic Starter
Member
16 posts

With Hijackthis, some things just won't be fixed--the error is just "Registry Edits have been disabled by the Administrator"

And, the DSS was scanning still--I just wasn't sure how important the errors were.

Anyhow Main:
Deckard's System Scanner v20071014.68
Run by CurtFess on 2008-05-24 12:28:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-05-24 16:28:25 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).

-- HijackThis (run as CurtFess.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:52 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\CurtFess\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CurtFess.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E59EBEF-0666-4122-B6B5-105068F15D0E} - C:\WINDOWS\system32\cbXOFvVm.dll (file missing)
O2 - BHO: (no name) - {0F5AE548-F131-45DA-8C6F-32EBEB174AE1} - C:\WINDOWS\system32\mlJyAQKB.dll (file missing)
O2 - BHO: (no name) - {1F6CC0D3-565F-482D-A044-AD45FC9C0814} - C:\WINDOWS\system32\urqOExuT.dll (file missing)
O2 - BHO: (no name) - {251AA008-BD0A-4C66-B81F-52DBE4108918} - C:\WINDOWS\system32\qoMfdaYq.dll (file missing)
O2 - BHO: {8550b3b7-eaaf-7259-6ac4-f5de42d32373} - {37323d24-ed5f-4ca6-9527-faae7b3b0558} - C:\WINDOWS\system32\nqmafasx.dll
O2 - BHO: (no name) - {377B2634-D458-48B6-98D5-D9E1199F462F} - C:\WINDOWS\system32\jkkjJBUm.dll (file missing)
O2 - BHO: (no name) - {5B9A2BC5-2243-4EC7-A605-584ACB9356CA} - C:\WINDOWS\system32\opnolLcB.dll (file missing)
O2 - BHO: (no name) - {63371012-F68E-40A5-8D82-99257305308B} - C:\WINDOWS\system32\xxyvusQH.dll (file missing)
O2 - BHO: (no name) - {6AAC6353-ED33-53CC-D575-66557B87733D} - C:\WINDOWS\system32\vfsa.dll (file missing)
O2 - BHO: (no name) - {72FF9E18-AA28-47A4-954F-89857328EC80} - C:\WINDOWS\system32\cbXNGXPH.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7EE573EC-502B-4527-86B9-5F5E649BEA00} - C:\WINDOWS\system32\opnnooop.dll (file missing)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: (no name) - {8365396B-25C1-440B-AEB3-3E8122D71938} - C:\WINDOWS\system32\ljJBroLc.dll (file missing)
O2 - BHO: (no name) - {A75B1E37-87F9-DF22-8248-891DF24644C3} - C:\WINDOWS\system32\pybiluq.dll (file missing)
O2 - BHO: (no name) - {A8E8C748-56DD-7D23-8C49-0FC5490D10E7} - C:\WINDOWS\system32\sjfxqbn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AE603669-3A5F-4C25-A85D-FF91E7EE01A9} - C:\WINDOWS\system32\byXPFYQg.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B7CDDC68-4BAE-4F95-A3B3-7B6C168F0B30} - C:\WINDOWS\system32\qoMccYSK.dll (file missing)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\opnoNeFV.dll
O2 - BHO: (no name) - {D744DA6E-16D6-4D62-8F9D-E756C9A88430} - C:\WINDOWS\system32\rqRKCVPh.dll (file missing)
O2 - BHO: (no name) - {D869F825-3467-4976-852A-5BA4D2E31AD7} - C:\WINDOWS\system32\pmnnLeFU.dll (file missing)
O2 - BHO: (no name) - {D928D6B9-4949-4669-BEA0-021F735308EE} - C:\WINDOWS\system32\tuvVOFxw.dll (file missing)
O2 - BHO: (no name) - {FC00DD52-AF6E-4422-9110-586D5DAE7141} - C:\WINDOWS\system32\ljJYSlkj.dll (file missing)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [f023c42c] rundll32.exe "C:\WINDOWS\system32\ukorhpti.dll",b
O4 - HKLM\..\Run: [BMf310f7b0] Rundll32.exe "C:\WINDOWS\system32\svoblpdb.dll",s
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [odeesv] C:\WINDOWS\system32\odeesv.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: opnoNeFV - C:\WINDOWS\SYSTEM32\opnoNeFV.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.worldofwa...qiraj-1024x.jpg
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 12143 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080519-154846-682 O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917
backup-20080519-154913-735 O4 - HKLM\..\Run: [AntispySpider] C:\Program Files\AntispySpider\antispyspider.exe
backup-20080519-155120-620 O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917
backup-20080519-192138-812 O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917
backup-20080519-193801-954 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20080519-193803-905 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
backup-20080524-113404-425 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
backup-20080524-113404-476 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080524-113404-521 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
backup-20080524-113404-582 F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
backup-20080524-113404-697 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080524-113404-820 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080524-113404-849 O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 XTrapD12 - c:\program files\legend of ares\\xtrap\xtrapd12.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\b2new.exe service (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 11:06:00 418 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-05-23 16:00:03 414 --ah----- C:\WINDOWS\Tasks\{4BA28505-D509-483C-8D83-A40EFBC328F6}_STARCRAFT_Amercaindancer.job

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 12:08:30 315120 --a------ C:\WINDOWS\system32\awttrSJD.dll
2008-05-24 11:21:29 4250 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-24 11:08:29 315120 --a------ C:\WINDOWS\system32\ljJBuvuv.dll
2008-05-23 20:31:42 100608 --a------ C:\WINDOWS\system32\nqmafasx.dll
2008-05-23 20:28:42 2560 --a------ C:\WINDOWS\system32\jkamimev.exe
2008-05-23 20:22:42 83200 --a------ C:\WINDOWS\system32\ukorhpti.dll
2008-05-23 20:19:42 91008 --a------ C:\WINDOWS\system32\svoblpdb.dll
2008-05-22 20:16:41 901681 --ahs---- C:\WINDOWS\system32\TuxEOqru.ini2
2008-05-22 11:02:23 0 dr-h----- C:\$VAULT$.AVG
2008-05-22 09:31:03 23670 --ahs---- C:\WINDOWS\system32\BcLlonpo.ini2
2008-05-21 15:01:21 99952 --a------ C:\WINDOWS\system32\bbvvtuew.dll
2008-05-21 14:55:19 2560 --a------ C:\WINDOWS\system32\btltplun.exe
2008-05-21 14:52:18 83296 --a------ C:\WINDOWS\system32\pvepkxgr.dll
2008-05-21 14:50:23 90896 --a------ C:\WINDOWS\system32\ebxorsgi.dll
2008-05-21 14:49:17 885749 --ahs---- C:\WINDOWS\system32\mUBJjkkj.ini2
2008-05-20 15:18:05 2560 --a------ C:\WINDOWS\system32\blxjaiil.exe
2008-05-20 15:12:04 82976 --a------ C:\WINDOWS\system32\vgxyopeg.dll
2008-05-20 15:09:04 99984 --a------ C:\WINDOWS\system32\hgakgjfk.dll
2008-05-20 15:07:54 90208 --a------ C:\WINDOWS\system32\kmmuvnmf.dll
2008-05-20 15:06:02 1023416 --ahs---- C:\WINDOWS\system32\mVvFOXbc.ini2
2008-05-19 19:09:13 99856 --a------ C:\WINDOWS\system32\vtdwyvpn.dll
2008-05-19 19:09:08 83024 --a------ C:\WINDOWS\system32\iiqnkiss.dll
2008-05-19 19:03:06 2560 --a------ C:\WINDOWS\system32\axaxmtup.exe
2008-05-19 18:58:04 90160 --a------ C:\WINDOWS\system32\jxmghapo.dll
2008-05-19 18:57:04 1011424 --ahs---- C:\WINDOWS\system32\jklSYJjl.ini2
2008-05-19 16:11:31 2560 --a------ C:\WINDOWS\system32\oquyaowm.exe
2008-05-19 16:11:25 99856 --a------ C:\WINDOWS\system32\ypuelghc.dll
2008-05-19 16:06:15 83024 --a------ C:\WINDOWS\system32\vwgkmqgl.dll
2008-05-19 16:06:06 90160 --a------ C:\WINDOWS\system32\suenwvan.dll
2008-05-19 16:05:20 1009135 --ahs---- C:\WINDOWS\system32\BKQAyJlm.ini2
2008-05-19 15:34:46 0 d-------- C:\Program Files\Trend Micro
2008-05-19 15:06:42 2560 --a------ C:\WINDOWS\system32\jkxymbhh.exe
2008-05-19 15:06:34 99856 --a------ C:\WINDOWS\system32\yvvnqukp.dll
2008-05-19 15:03:33 83024 --a------ C:\WINDOWS\system32\fpvyaysu.dll
2008-05-19 15:01:35 90160 --a------ C:\WINDOWS\system32\hymmwckm.dll
2008-05-19 02:57:25 83072 --a------ C:\WINDOWS\system32\gmstlcrd.dll
2008-05-19 02:57:06 98880 --a------ C:\WINDOWS\system32\qnipmugf.dll
2008-05-19 02:56:42 90272 --a------ C:\WINDOWS\system32\rgwxgyft.dll
2008-05-18 03:05:42 98960 --a------ C:\WINDOWS\system32\xsbvxgfb.dll
2008-05-18 02:54:49 90224 --a------ C:\WINDOWS\system32\dtylhlxd.dll
2008-05-18 02:53:40 1343954 --ahs---- C:\WINDOWS\system32\pooonnpo.ini2
2008-05-17 21:59:55 82960 --a------ C:\WINDOWS\system32\jaibvkum.dll
2008-05-17 21:57:05 98960 --a------ C:\WINDOWS\system32\eqgypoti.dll
2008-05-17 21:46:12 90224 --a------ C:\WINDOWS\system32\ooarslfr.dll
2008-05-17 21:44:50 1346063 --ahs---- C:\WINDOWS\system32\UFeLnnmp.ini2
2008-05-17 16:09:51 98960 --a------ C:\WINDOWS\system32\avdqpnnc.dll
2008-05-17 16:06:28 90224 --a------ C:\WINDOWS\system32\yenxqsxm.dll
2008-05-17 08:20:17 82960 --a------ C:\WINDOWS\system32\sqbetgsv.dll
2008-05-17 08:18:06 98960 --a------ C:\WINDOWS\system32\njxkbsjy.dll
2008-05-17 08:11:55 90224 --a------ C:\WINDOWS\system32\ptwmsjxv.dll
2008-05-17 08:08:08 1006431 --ahs---- C:\WINDOWS\system32\HQsuvyxx.ini2
2008-05-16 21:00:31 98896 --a------ C:\WINDOWS\system32\ovbsrwdh.dll
2008-05-16 20:54:24 90240 --a------ C:\WINDOWS\system32\ffhnoswi.dll
2008-05-16 20:51:18 371 --ahs---- C:\WINDOWS\system32\cLorBJjl.ini2
2008-05-16 20:42:36 0 d-------- C:\Documents and Settings\PHAT_MOMMA\Application Data\AVG7
2008-05-16 17:42:16 98896 --a------ C:\WINDOWS\system32\mspufrlj.dll
2008-05-16 17:41:15 82992 --a------ C:\WINDOWS\system32\jllcmdsk.dll
2008-05-16 17:40:09 90240 --a------ C:\WINDOWS\system32\rxsoaqwa.dll
2008-05-16 17:38:08 1348235 --ahs---- C:\WINDOWS\system32\HPXGNXbc.ini2
2008-05-16 16:26:41 347 --ahs---- C:\WINDOWS\system32\stuvGfhk.ini2
2008-05-15 18:40:22 82960 --a------ C:\WINDOWS\system32\covluvny.dll
2008-05-15 18:37:22 98960 --a------ C:\WINDOWS\system32\qmgarqes.dll
2008-05-15 18:35:41 90304 --a------ C:\WINDOWS\system32\spbkehuq.dll
2008-05-15 17:01:32 98960 --a------ C:\WINDOWS\system32\mxumpxht.dll
2008-05-15 16:59:39 90304 --a------ C:\WINDOWS\system32\bccxnrmx.dll
2008-05-15 13:54:12 90304 --a------ C:\WINDOWS\system32\jylrhyvq.dll
2008-05-15 13:51:17 1328017 --ahs---- C:\WINDOWS\system32\qYadfMoq.ini2
2008-05-15 13:46:59 0 d-------- C:\Program Files\RcvSystem
2008-05-11 14:39:26 98912 --a------ C:\WINDOWS\system32\vxkvojbm.dll
2008-05-11 14:35:16 90208 --a------ C:\WINDOWS\system32\jlofcyij.dll
2008-05-11 14:33:24 1050089 --ahs---- C:\WINDOWS\system32\wxFOVvut.ini2
2008-05-11 08:52:51 98912 --a------ C:\WINDOWS\system32\ueqicerl.dll
2008-05-11 08:35:32 90208 --a------ C:\WINDOWS\system32\njhyqnjo.dll
2008-05-11 08:34:16 1041395 --ahs---- C:\WINDOWS\system32\KSYccMoq.ini2
2008-05-10 21:45:45 7109 --ahs---- C:\WINDOWS\system32\hPVCKRqr.ini2
2008-05-10 20:20:58 0 d-------- C:\WINDOWS\network diagnostic
2008-05-10 14:25:42 7785 --ahs---- C:\WINDOWS\system32\gQYFPXyb.ini2
2008-05-10 14:22:36 32768 --a------ C:\WINDOWS\system32\sockins32.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-05-10 14:22:07 0 d-------- C:\Program Files\QdrPack
2008-05-10 14:21:23 0 d-------- C:\Program Files\QdrModule
2008-05-10 14:20:47 0 d-------- C:\Program Files\QdrDrive
2008-05-10 14:20:21 25728 --a------ C:\WINDOWS\system32\opnoNeFV.dll
2008-05-10 14:20:15 0 d-------- C:\Program Files\ISM

-- Find3M Report ---------------------------------------------------------------

2008-05-24 11:03:57 0 d-------- C:\Documents and Settings\CurtFess\Application Data\AVG7
2008-05-19 15:03:13 0 d-------- C:\Program Files\Common Files
2008-05-19 15:02:11 0 d-------- C:\Program Files\AIM+
2008-03-28 09:28:47 0 d-------- C:\Program Files\Armagetron Advanced

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E59EBEF-0666-4122-B6B5-105068F15D0E}]
C:\WINDOWS\system32\cbXOFvVm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F5AE548-F131-45DA-8C6F-32EBEB174AE1}]
C:\WINDOWS\system32\mlJyAQKB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F6CC0D3-565F-482D-A044-AD45FC9C0814}]
C:\WINDOWS\system32\urqOExuT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{251AA008-BD0A-4C66-B81F-52DBE4108918}]
C:\WINDOWS\system32\qoMfdaYq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37323d24-ed5f-4ca6-9527-faae7b3b0558}]
05/23/2008 08:31 PM 100608 --a------ C:\WINDOWS\system32\nqmafasx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B2634-D458-48B6-98D5-D9E1199F462F}]
C:\WINDOWS\system32\jkkjJBUm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B9A2BC5-2243-4EC7-A605-584ACB9356CA}]
C:\WINDOWS\system32\opnolLcB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63371012-F68E-40A5-8D82-99257305308B}]
C:\WINDOWS\system32\xxyvusQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AAC6353-ED33-53CC-D575-66557B87733D}]
C:\WINDOWS\system32\vfsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72FF9E18-AA28-47A4-954F-89857328EC80}]
C:\WINDOWS\system32\cbXNGXPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EE573EC-502B-4527-86B9-5F5E649BEA00}]
C:\WINDOWS\system32\opnnooop.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
04/03/2008 04:05 PM 147456 --a------ C:\Program Files\QdrDrive\QdrDrive15.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8365396B-25C1-440B-AEB3-3E8122D71938}]
C:\WINDOWS\system32\ljJBroLc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75B1E37-87F9-DF22-8248-891DF24644C3}]
C:\WINDOWS\system32\pybiluq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8E8C748-56DD-7D23-8C49-0FC5490D10E7}]
C:\WINDOWS\system32\sjfxqbn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE603669-3A5F-4C25-A85D-FF91E7EE01A9}]
C:\WINDOWS\system32\byXPFYQg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7CDDC68-4BAE-4F95-A3B3-7B6C168F0B30}]
C:\WINDOWS\system32\qoMccYSK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/10/2008 02:20 PM 25728 --a------ C:\WINDOWS\system32\opnoNeFV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D744DA6E-16D6-4D62-8F9D-E756C9A88430}]
C:\WINDOWS\system32\rqRKCVPh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D869F825-3467-4976-852A-5BA4D2E31AD7}]
C:\WINDOWS\system32\pmnnLeFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D928D6B9-4949-4669-BEA0-021F735308EE}]
C:\WINDOWS\system32\tuvVOFxw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC00DD52-AF6E-4422-9110-586D5DAE7141}]
C:\WINDOWS\system32\ljJYSlkj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/28/2004 05:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 03:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/21/2005 07:29 PM]
"@"="" []
"f023c42c"="C:\WINDOWS\system32\ukorhpti.dll" [05/23/2008 08:22 PM]
"BMf310f7b0"="C:\WINDOWS\system32\svoblpdb.dll" [05/23/2008 08:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [08/21/2006 01:48 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/15/2007 12:20 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoActiveDesktop"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"odeesv"=C:\WINDOWS\system32\odeesv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\opnoNeFV.dll [05/10/2008 02:20 PM 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoNeFV]
opnoNeFV.dll 05/10/2008 02:20 PM 25728 C:\WINDOWS\system32\opnoNeFV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqOExuT

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CurtFess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\CurtFess\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]
c:\windows\180ax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2LRX2W83X2T3MQ]
C:\WINDOWS\System32\MtyJ62F.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8]
C:\documents and settings\curtfess\local settings\temp\8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D]
C:\documents and settings\amercaindancer\local settings\temp\8D.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"C:\DOCUME~1\AMERCA~1\APPLIC~1\SEMBLY~1\regsvr32.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin2\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperBrwsr]
C:\WINDOWS\dhbrwsr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hehsks]
C:\WINDOWS\vrygq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotNow]
C:\Program Files\PVM\Dialers\HotNow\HotNow.exe /dontdial

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"C:\Program Files\Internet Optimizer\optimize.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ippromon]
C:\WINDOWS\System32\ippromon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loads.exe]
C:\WINDOWS\suploads.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mediamotor.exe]
C:\WINDOWS\mmups.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mfyj]
C:\WINDOWS\mfyj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mh4]
C:\documents and settings\amercaindancer\local settings\temp\Mh4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Updates]
C:\WINDOWS\mscache.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\temp\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odeesv]
C:\WINDOWS\system32\odeesv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ojexmtyb]
C:\WINDOWS\ojexmtyb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSS]
c:\windows\system32\rk.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prutict]
C:\WINDOWS\system32\prutict.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prvtect]
C:\WINDOWS\system32\prvtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperPowerIcons]
C:\Program Files\Super Power Icons\SuperPowerIcons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
C:\Program Files\SurfSideKick 2\Ssk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Media]
C:\Program Files\TV Media\Tvm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAPI]
C:\WINDOWS\System32\wtssvcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
"C:\Program Files\Web_Rebates\WebRebates0.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]
C:\Program Files\WindowsSA\omniscient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"c:\program files\zango\zango.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.f1organizer.com #REMOVED ADWARE URL
127.0.0.1 www.netpalnow.com #REMOVED ADWARE URL
127.0.0.1 www.addictivetechnologies.com #REMOVED ADWARE URL
127.0.0.1 easywarez.com www.easywarez.com ftp.easywarez.com update.easywarez.com support.easywarez.com warezspot.com www.warezspot.com #fwav
127.0.0.1 www.warezspot.com ftp.warezspot.com update.warezspot.com support.warezspot.com freegirlfun.com www.freegirlfun.com ftp.freegirlfun.com #fwav
127.0.0.1 ftp.freegirlfun.com update.freegirlfun.com support.freegirlfun.com 204.177.92.193 www.204.177.92.193 ftp.204.177.92.193 update.204.177.92.193 #fwav
127.0.0.1 update.204.177.92.193 support.204.177.92.193 204.177.92.198 www.204.177.92.198 ftp.204.177.92.198 update.204.177.92.198 support.204.177.92.198 #fwav
127.0.0.1 support.204.177.92.198 free-memberships.net www.free-memberships.net ftp.free-memberships.net update.free-memberships.net support.free-memberships.net #fwav

-- End of Deckard's System Scanner: finished at 2008-05-24 13:02:28 ------------

#6
Breaku

Posted 24 May 2008 - 10:59 AM

Member

Topic Starter
Member
16 posts

And Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1500MHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 383.01 MiB / 99.32 MiB
Pagefile Memory (total/avail): 794.95 MiB / 380.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.95 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 8.84 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75CLB0 - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Warcraft III\\war3.exe"="C:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\AIM95\\AIM95_c0\\aim.exe"="C:\\Program Files\\AIM95\\AIM95_c0\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM95\\AIM95_c1\\aim.exe"="C:\\Program Files\\AIM95\\AIM95_c1\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM95\\AIM95_c2\\aim.exe"="C:\\Program Files\\AIM95\\AIM95_c2\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM95\\AIM95_c3\\aim.exe"="C:\\Program Files\\AIM95\\AIM95_c3\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM95\\AIM95_c4\\aim.exe"="C:\\Program Files\\AIM95\\AIM95_c4\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike source beta\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike source beta\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Integrity Messenger\\messenger.exe"="C:\\Program Files\\Integrity Messenger\\messenger.exe:*:Enabled:messenger"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Atari-Infogrames\\RiskII\\RiskII.exe"="C:\\Program Files\\Atari-Infogrames\\RiskII\\RiskII.exe:*:Enabled:Risk II"
"C:\\Program Files\\Atari-Infogrames\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe"="C:\\Program Files\\Atari-Infogrames\\Civilization III Gold Edition\\Civ3PTW\\Civilization3x.exe:*:Enabled:Civilization3X"
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\CurtFess\\Desktop\\WoWMovieDownloader-EnUS.exe"="C:\\Documents and Settings\\CurtFess\\Desktop\\WoWMovieDownloader-EnUS.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\Amercaindancer\\Local Settings\\Temp\\~os1E.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Amercaindancer\\Local Settings\\Temp\\~os1E.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Amercaindancer\\Local Settings\\Temp\\~os38.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Amercaindancer\\Local Settings\\Temp\\~os38.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\Amercaindancer\\My Documents\\Warcraft III\\Warcraft III.exe"="C:\\Documents and Settings\\Amercaindancer\\My Documents\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\NetStorm\\netstorm.exe"="C:\\NetStorm\\netstorm.exe:*:Enabled:netstorm"
"C:\\Program Files\\NetstormLaunch\\package\\netstorm.exe"="C:\\Program Files\\NetstormLaunch\\package\\netstorm.exe:*:Enabled:netstorm"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin:*:Enabled:Rakion"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\NetStorm\\r.exe"="C:\\NetStorm\\r.exe:*:Disabled:r"
"c:\\windows\\system32\\rk.exe"="c:\\windows\\system32\\rk.exe:*:Disabled:rk.exe"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe"="C:\\WINDOWS\\system32\\SolidStateNetworks\\SolidStateION\\solidnm.exe:*:Enabled:Solid State Networks Browser Plugin"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\CurtFess\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=UPSTAIRS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\CurtFess
LANG=C
LOGONSERVER=\\UPSTAIRS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CurtFess\LOCALS~1\Temp
TMP=C:\DOCUME~1\CurtFess\LOCALS~1\Temp
USERDOMAIN=UPSTAIRS
USERNAME=CurtFess
USERPROFILE=C:\Documents and Settings\CurtFess
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

CurtFess (admin)
Amercaindancer (admin)
PHAT_MOMMA (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Creative\SBLive\Program\Upddrv2k.EXE
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\CTMixer.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Diagnose2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\HTML.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\PlayCenter2\Player2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\WaveStudio\Wstudio.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 4.0, 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AntispySpider --> MsiExec.exe /I{19644868-3D1B-4017-AFBD-23A5F14F98BC}
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Armagetron Advanced 0.2.8.1-1.vc6 --> C:\Program Files\Armagetron Advanced\uninst.exe
Arsenal III --> C:\PROGRA~1\CAMELO~1\ARSENA~1\UNWISE.EXE C:\PROGRA~1\CAMELO~1\ARSENA~1\INSTALL.LOG
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
Beachhead 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Beachhead 2000\Uninst.isu"
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Conquest 3.0 --> "C:\Program Files\Conquest\unins000.exe"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Dragonball Z : Bid For Power - RC3 --> C:\WINDOWS\unvise32.exe C:\Program Files\Quake III Arena\uninstal.log
FoneSync --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FoneSync\Uninst.isu" -c"C:\Program Files\FoneSync\UninstSupport.dll"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar5.dll"
Google Video Uploader --> "C:\Program Files\Google Video\Uninstall.exe"
GTK+ 2.8.9 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.000"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hoyle Board Games --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\HCBG2\Uninst.isu
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
J2SE Development Kit 5.0 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150060}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
LEGO Island --> C:\PROGRA~1\LEGOIS~1\UNINST.EXE C:\PROGRA~1\LEGOIS~1\INSTALL.LOG
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2001 --> MsiExec.exe /I{01001202-5D65-445A-B3B4-3DCE72BA0C6C}
Microsoft Linguistic Information Sound Editing Tool --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\lstinst.inf, Uninstall
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Speech Recognition Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mscsrgpc.inf, Uninstall.NT
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2001 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
MissionRisk --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\MissionRisk\ST6UNST.LOG"
Mother Of All Battles 3.1 --> "C:\Program Files\Mother Of All Battles\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600813}
Netstorm Launcher (Console) --> "C:\Program Files\NetstormLaunch\uninstall.exe"
Norton AntiVirus 2002 --> MsiExec.exe /I{3075C5C3-0807-4924-AF8F-FF27052C12AE}
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PANDA-EGG --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8343C3DD-094B-11D4-B97E-0008C7212DD9}\setup.exe"
Pearl Harbor --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pearl Harbor\Uninst.isu"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reveal Your Rank! --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Reveal Your Rank!\Uninst.isu"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
Skype 1.2 --> "C:\Program Files\Skype\Phone\unins000.exe"
Slay 4.2 --> "C:\Program Files\Slay\unins000.exe"
Sound Blaster Live! Value --> C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
SureThing CD Labeler - Stomper Edition 32 bit --> C:\WINDOWS\MVUNINST\App1\unwise.exe C:\WINDOWS\MVUNINST\APP1\INSTALL.LOG "SureThing CD Labeler - Stomper Edition Uninstall"
TetriNet2 --> C:\Program Files\TetriNet2\uninstall.exe
Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
UFOs 1.2 --> "C:\Program Files\UFOs\unins000.exe"
Universal Media Player --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\LocalAutorun\Uninst.isu"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WhatPulse 1.5 --> C:\Program Files\WhatPulse\uninst.exe
Windows SA --> C:\Windows\System32\axuninstall.exe rebootfirst
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type80 / Error
Event Submitted/Written: 05/24/2008 00:32:13 PM
Event ID/Source: 4097 / Norton AntiVirus
Event Description:
The file
C:\DOCUME~1\CurtFess\LOCALS~1\Temp\instnotify.exe
is infected with the Trojan Horse virus.Access to the file was denied.

Event Record #/Type79 / Error
Event Submitted/Written: 05/24/2008 00:32:13 PM
Event ID/Source: 4097 / Norton AntiVirus
Event Description:
The file
C:\DOCUME~1\CurtFess\LOCALS~1\Temp\instnotify.exe
is infected with the Trojan Horse virus.Unable to repair this file.

Event Record #/Type78 / Error
Event Submitted/Written: 05/24/2008 00:32:13 PM
Event ID/Source: 4097 / Norton AntiVirus
Event Description:
The file
C:\DOCUME~1\CurtFess\LOCALS~1\Temp\instnotify.exe
is infected with the Trojan Horse virus.Access to the file was denied.

Event Record #/Type77 / Error
Event Submitted/Written: 05/24/2008 00:32:13 PM
Event ID/Source: 4097 / Norton AntiVirus
Event Description:
The file
C:\DOCUME~1\CurtFess\LOCALS~1\Temp\instnotify.exe
is infected with the Trojan Horse virus.Unable to repair this file.

Event Record #/Type76 / Error
Event Submitted/Written: 05/24/2008 00:32:13 PM
Event ID/Source: 4097 / Norton AntiVirus
Event Description:
The file
C:\DOCUME~1\CurtFess\LOCALS~1\Temp\instnotify.exe
is infected with the Trojan Horse virus.Access to the file was denied.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type437 / Warning
Event Submitted/Written: 05/23/2008 05:49:24 PM
Event ID/Source: 8022 / BROWSER
Event Description:
The browser was unable to retrieve a list of domains from the browser master \\KITCHEN on the network \Device\NetBT_Tcpip_{EFF8BFD1-1A55-4C9F-ABBC-3DE992BE11F9}.
The data is the error code.

Event Record #/Type436 / Warning
Event Submitted/Written: 05/23/2008 05:49:24 PM
Event ID/Source: 8022 / BROWSER
Event Description:
The browser was unable to retrieve a list of domains from the browser master \\KITCHEN on the network \Device\NwlnkNb.
The data is the error code.

Event Record #/Type435 / Warning
Event Submitted/Written: 05/23/2008 04:01:03 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\KITCHEN on the network \Device\NwlnkNb.
The data is the error code.

Event Record #/Type434 / Warning
Event Submitted/Written: 05/23/2008 04:01:03 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\KITCHEN on the network \Device\NetBT_Tcpip_{EFF8BFD1-1A55-4C9F-ABBC-3DE992BE11F9}.
The data is the error code.

Event Record #/Type433 / Warning
Event Submitted/Written: 05/23/2008 03:49:03 PM
Event ID/Source: 8022 / BROWSER
Event Description:
The browser was unable to retrieve a list of domains from the browser master \\KITCHEN on the network \Device\NwlnkNb.
The data is the error code.

-- End of Deckard's System Scanner: finished at 2008-05-24 13:02:28 ------------

#7
Tal

Posted 24 May 2008 - 05:52 PM

Trusted Helper

Retired Staff
2,138 posts

Hi Breaku

The DSS log is indeed full of additional infections. The computer is very infected, and you'll need to follow my instructions very carefully, so we can complete this as soon as possible. You have the newest variant of Vundo which requires a manual removal, Zango and other advertising software, as well as the SpySpider which you have already 'discovered'.

Step1 : Downloading tools required for the fix

Please download the following tools, and save them on your desktop. Do not run any of these yet.

ATF Cleaner by Atribune.
The Avenger by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop.
Download the attached text file, in the bottom of this post.
- Double click the file.
- Choose File > Save As....
- Name the file fix.reg.
- Change the Filetype to All Files.
- Save the file on your desktop.
RegAllow
Download Brute Force Uninstaller to your desktop.
- Right click the file on your Desktop, and choose Extract All.
- Click Next.
- In the box to choose where to extract the files to:
- Click Browse.
- Click on the + sign next to My Computer
- Click on Local Disk (C:) or whatever your primary drive is.
- Click Make New Folder
- Type in BFU
- Click Next, and uncheck the Show Extracted Files box and then click Finish.
- Download sidekickFix.bat (rightclick on that link and choose save as)
  [list]
- Place sidekickFix.bat in your C:\BFU - folder. (Important!)

Step2 : Registry Fix

IMPORTANT: Please save the following instructions to a notepad file as you will not be able to access this page from Safe Mode.

REBOOTING TO SAFE MODE: Please restart your computer. As soon as it boots up, continuously tap the F8 key, until a menu shows. Using the arrow keys, choose the Safe Mode option, then click the Enter key. Wait for Safe Mode to load - this can take a while.

RE-ENABLING REGISTRY TOOLS: Please locate regallow.exe which we have downloaded previously. Double click on it. When the program launches, click on the Enable Registry Tools button. When it says the tools are enabled, click on the OK button to exit the program.

REGISTRY FIX: Please locate fix.reg which we have set up previously. Double click on it. When prompted, click Yes to merge the information with the registry.

Step3 : The Avenger and ATF

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now:

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\awttrSJD.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\ljJBuvuv.dll
C:\WINDOWS\system32\nqmafasx.dll
C:\WINDOWS\system32\jkamimev.exe
C:\WINDOWS\system32\ukorhpti.dll
C:\WINDOWS\system32\svoblpdb.dll
C:\WINDOWS\system32\TuxEOqru.ini2
C:\WINDOWS\system32\BcLlonpo.ini2
C:\WINDOWS\system32\bbvvtuew.dll
C:\WINDOWS\system32\btltplun.exe
C:\WINDOWS\system32\pvepkxgr.dll
C:\WINDOWS\system32\ebxorsgi.dll
C:\WINDOWS\system32\mUBJjkkj.ini2
C:\WINDOWS\system32\blxjaiil.exe
C:\WINDOWS\system32\vgxyopeg.dll
C:\WINDOWS\system32\hgakgjfk.dll
C:\WINDOWS\system32\kmmuvnmf.dll
C:\WINDOWS\system32\mVvFOXbc.ini2
C:\WINDOWS\system32\vtdwyvpn.dll
C:\WINDOWS\system32\iiqnkiss.dll
C:\WINDOWS\system32\axaxmtup.exe
C:\WINDOWS\system32\jxmghapo.dll
C:\WINDOWS\system32\jklSYJjl.ini2
C:\WINDOWS\system32\oquyaowm.exe
C:\WINDOWS\system32\ypuelghc.dll
C:\WINDOWS\system32\vwgkmqgl.dll
C:\WINDOWS\system32\suenwvan.dll
C:\WINDOWS\system32\BKQAyJlm.ini2
C:\WINDOWS\system32\jkxymbhh.exe
C:\WINDOWS\system32\yvvnqukp.dll
C:\WINDOWS\system32\fpvyaysu.dll
C:\WINDOWS\system32\hymmwckm.dll
C:\WINDOWS\system32\gmstlcrd.dll
C:\WINDOWS\system32\qnipmugf.dll
C:\WINDOWS\system32\rgwxgyft.dll
C:\WINDOWS\system32\xsbvxgfb.dll
C:\WINDOWS\system32\dtylhlxd.dll
C:\WINDOWS\system32\pooonnpo.ini2
C:\WINDOWS\system32\jaibvkum.dll
C:\WINDOWS\system32\eqgypoti.dll
C:\WINDOWS\system32\ooarslfr.dll
C:\WINDOWS\system32\UFeLnnmp.ini2
C:\WINDOWS\system32\avdqpnnc.dll
C:\WINDOWS\system32\yenxqsxm.dll
C:\WINDOWS\system32\sqbetgsv.dll
C:\WINDOWS\system32\njxkbsjy.dll
C:\WINDOWS\system32\ptwmsjxv.dll
C:\WINDOWS\system32\HQsuvyxx.ini2
C:\WINDOWS\system32\ovbsrwdh.dll
C:\WINDOWS\system32\ffhnoswi.dll
C:\WINDOWS\system32\cLorBJjl.ini2
C:\WINDOWS\system32\mspufrlj.dll
C:\WINDOWS\system32\jllcmdsk.dll
C:\WINDOWS\system32\rxsoaqwa.dll
C:\WINDOWS\system32\HPXGNXbc.ini2
C:\WINDOWS\system32\stuvGfhk.ini2
C:\WINDOWS\system32\covluvny.dll
C:\WINDOWS\system32\qmgarqes.dll
C:\WINDOWS\system32\spbkehuq.dll
C:\WINDOWS\system32\mxumpxht.dll
C:\WINDOWS\system32\bccxnrmx.dll
C:\WINDOWS\system32\jylrhyvq.dll
C:\WINDOWS\system32\qYadfMoq.ini2
C:\WINDOWS\system32\vxkvojbm.dll
C:\WINDOWS\system32\jlofcyij.dll
C:\WINDOWS\system32\wxFOVvut.ini2
C:\WINDOWS\system32\ueqicerl.dll
C:\WINDOWS\system32\njhyqnjo.dll
C:\WINDOWS\system32\KSYccMoq.ini2
C:\WINDOWS\system32\hPVCKRqr.ini2
C:\WINDOWS\system32\gQYFPXyb.ini2
C:\WINDOWS\system32\sockins32.dll
C:\Program Files\QdrPack
C:\Program Files\QdrModule
C:\Program Files\QdrDrive
C:\WINDOWS\system32\opnoNeFV.dll
C:\Program Files\ISM
c:\windows\180ax.exe
C:\Program Files\Zango
C:\WINDOWS\system32\odeesv.exe
c:\windows\180ax.exe
C:\WINDOWS\System32\MtyJ62F.exe
C:\documents and settings\curtfess\local settings\temp\8.exe
C:\documents and settings\amercaindancer\local settings\temp\8D.exe
C:\Program Files\Bargain Buddy
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\vrygq.exe
C:\Program Files\PVM
"C:\Program Files\Internet Optimizer
C:\WINDOWS\System32\ippromon.exe
C:\WINDOWS\suploads.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\mfyj.exe
C:\documents and settings\amercaindancer\local settings\temp\Mh4.exe
C:\WINDOWS\mscache.exe
c:\temp\msbb.exe
C:\WINDOWS\system32\odeesv.exe
C:\WINDOWS\ojexmtyb.exe
c:\windows\system32\rk.exe -boot
C:\WINDOWS\system32\prutict.exe
C:\WINDOWS\system32\prvtect.exe
C:\Program Files\Super Power Icons
C:\Program Files\SurfSideKick 2\Ssk.exe
C:\PROGRA~1\Toolbar
C:\Program Files\TV Media
C:\WINDOWS\Updreg.exe
C:\WINDOWS\System32\wtssvcc.exe
C:\Program Files\Web_Rebates
C:\Program Files\WindowsSA
C:\PROGRA~1\COMMON~1\WinTools

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log .

Step4 : SurfSideKick Fix

Close all browsers and explorer folders before proceeding.
Double-click on sidekickFix.bat (in C:\BFU)
Click Yes and follow the prompts, when prompted to restart the PC please do so.

Your PC will boot back into Normal Mode.

In your next reply, please include a new DSS log (note that DSS will only produce main.txt this time) and The Avenger's log.

Tal

Attached Files

fix.txt 6.68KB 211 downloads

#8
Breaku

Posted 24 May 2008 - 09:28 PM

Member

Topic Starter
Member
16 posts

The Atribune website seems to be down--do you have a mirror for the ATF Cleaner?

EDIT: It's back up. Logs shortly.

Edited by Breaku, 25 May 2008 - 01:33 AM.

#9
Tal

Posted 25 May 2008 - 01:43 AM

Trusted Helper

Retired Staff
2,138 posts

OK, I'll check them as soon as you reply.

Edited by Tal, 25 May 2008 - 02:18 AM.
-r

#10
Breaku

Posted 25 May 2008 - 02:01 AM

Member

Topic Starter
Member
16 posts

And, here we go

Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\awttrSJD.dll" deleted successfully.
File "C:\WINDOWS\system32\tmp.reg" deleted successfully.
File "C:\WINDOWS\system32\ljJBuvuv.dll" deleted successfully.
File "C:\WINDOWS\system32\nqmafasx.dll" deleted successfully.
File "C:\WINDOWS\system32\jkamimev.exe" deleted successfully.
File "C:\WINDOWS\system32\ukorhpti.dll" deleted successfully.
File "C:\WINDOWS\system32\svoblpdb.dll" deleted successfully.
File "C:\WINDOWS\system32\TuxEOqru.ini2" deleted successfully.
File "C:\WINDOWS\system32\BcLlonpo.ini2" deleted successfully.
File "C:\WINDOWS\system32\bbvvtuew.dll" deleted successfully.
File "C:\WINDOWS\system32\btltplun.exe" deleted successfully.
File "C:\WINDOWS\system32\pvepkxgr.dll" deleted successfully.
File "C:\WINDOWS\system32\ebxorsgi.dll" deleted successfully.
File "C:\WINDOWS\system32\mUBJjkkj.ini2" deleted successfully.
File "C:\WINDOWS\system32\blxjaiil.exe" deleted successfully.
File "C:\WINDOWS\system32\vgxyopeg.dll" deleted successfully.
File "C:\WINDOWS\system32\hgakgjfk.dll" deleted successfully.
File "C:\WINDOWS\system32\kmmuvnmf.dll" deleted successfully.
File "C:\WINDOWS\system32\mVvFOXbc.ini2" deleted successfully.
File "C:\WINDOWS\system32\vtdwyvpn.dll" deleted successfully.
File "C:\WINDOWS\system32\iiqnkiss.dll" deleted successfully.
File "C:\WINDOWS\system32\axaxmtup.exe" deleted successfully.
File "C:\WINDOWS\system32\jxmghapo.dll" deleted successfully.
File "C:\WINDOWS\system32\jklSYJjl.ini2" deleted successfully.
File "C:\WINDOWS\system32\oquyaowm.exe" deleted successfully.
File "C:\WINDOWS\system32\ypuelghc.dll" deleted successfully.
File "C:\WINDOWS\system32\vwgkmqgl.dll" deleted successfully.
File "C:\WINDOWS\system32\suenwvan.dll" deleted successfully.
File "C:\WINDOWS\system32\BKQAyJlm.ini2" deleted successfully.
File "C:\WINDOWS\system32\jkxymbhh.exe" deleted successfully.
File "C:\WINDOWS\system32\yvvnqukp.dll" deleted successfully.
File "C:\WINDOWS\system32\fpvyaysu.dll" deleted successfully.
File "C:\WINDOWS\system32\hymmwckm.dll" deleted successfully.
File "C:\WINDOWS\system32\gmstlcrd.dll" deleted successfully.
File "C:\WINDOWS\system32\qnipmugf.dll" deleted successfully.
File "C:\WINDOWS\system32\rgwxgyft.dll" deleted successfully.
File "C:\WINDOWS\system32\xsbvxgfb.dll" deleted successfully.
File "C:\WINDOWS\system32\dtylhlxd.dll" deleted successfully.
File "C:\WINDOWS\system32\pooonnpo.ini2" deleted successfully.
File "C:\WINDOWS\system32\jaibvkum.dll" deleted successfully.
File "C:\WINDOWS\system32\eqgypoti.dll" deleted successfully.
File "C:\WINDOWS\system32\ooarslfr.dll" deleted successfully.
File "C:\WINDOWS\system32\UFeLnnmp.ini2" deleted successfully.
File "C:\WINDOWS\system32\avdqpnnc.dll" deleted successfully.
File "C:\WINDOWS\system32\yenxqsxm.dll" deleted successfully.
File "C:\WINDOWS\system32\sqbetgsv.dll" deleted successfully.
File "C:\WINDOWS\system32\njxkbsjy.dll" deleted successfully.
File "C:\WINDOWS\system32\ptwmsjxv.dll" deleted successfully.
File "C:\WINDOWS\system32\HQsuvyxx.ini2" deleted successfully.
File "C:\WINDOWS\system32\ovbsrwdh.dll" deleted successfully.
File "C:\WINDOWS\system32\ffhnoswi.dll" deleted successfully.
File "C:\WINDOWS\system32\cLorBJjl.ini2" deleted successfully.
File "C:\WINDOWS\system32\mspufrlj.dll" deleted successfully.
File "C:\WINDOWS\system32\jllcmdsk.dll" deleted successfully.
File "C:\WINDOWS\system32\rxsoaqwa.dll" deleted successfully.
File "C:\WINDOWS\system32\HPXGNXbc.ini2" deleted successfully.
File "C:\WINDOWS\system32\stuvGfhk.ini2" deleted successfully.
File "C:\WINDOWS\system32\covluvny.dll" deleted successfully.
File "C:\WINDOWS\system32\qmgarqes.dll" deleted successfully.
File "C:\WINDOWS\system32\spbkehuq.dll" deleted successfully.
File "C:\WINDOWS\system32\mxumpxht.dll" deleted successfully.
File "C:\WINDOWS\system32\bccxnrmx.dll" deleted successfully.
File "C:\WINDOWS\system32\jylrhyvq.dll" deleted successfully.
File "C:\WINDOWS\system32\qYadfMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\vxkvojbm.dll" deleted successfully.
File "C:\WINDOWS\system32\jlofcyij.dll" deleted successfully.
File "C:\WINDOWS\system32\wxFOVvut.ini2" deleted successfully.
File "C:\WINDOWS\system32\ueqicerl.dll" deleted successfully.
File "C:\WINDOWS\system32\njhyqnjo.dll" deleted successfully.
File "C:\WINDOWS\system32\KSYccMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\hPVCKRqr.ini2" deleted successfully.
File "C:\WINDOWS\system32\gQYFPXyb.ini2" deleted successfully.
File "C:\WINDOWS\system32\sockins32.dll" deleted successfully.

Error: "C:\Program Files\QdrPack" is a folder, not a file!
Deletion of file "C:\Program Files\QdrPack" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\Program Files\QdrModule" is a folder, not a file!
Deletion of file "C:\Program Files\QdrModule" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\Program Files\QdrDrive" is a folder, not a file!
Deletion of file "C:\Program Files\QdrDrive" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\WINDOWS\system32\opnoNeFV.dll" deleted successfully.

Error: "C:\Program Files\ISM" is a folder, not a file!
Deletion of file "C:\Program Files\ISM" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: file "c:\windows\180ax.exe" not found!
Deletion of file "c:\windows\180ax.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\Zango" not found!
Deletion of file "C:\Program Files\Zango" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\odeesv.exe" not found!
Deletion of file "C:\WINDOWS\system32\odeesv.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\180ax.exe" not found!
Deletion of file "c:\windows\180ax.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\System32\MtyJ62F.exe" not found!
Deletion of file "C:\WINDOWS\System32\MtyJ62F.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\documents and settings\curtfess\local settings\temp\8.exe" not found!
Deletion of file "C:\documents and settings\curtfess\local settings\temp\8.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\documents and settings\amercaindancer\local settings\temp\8D.exe" not found!
Deletion of file "C:\documents and settings\amercaindancer\local settings\temp\8D.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\Bargain Buddy" not found!
Deletion of file "C:\Program Files\Bargain Buddy" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\dhbrwsr.exe" not found!
Deletion of file "C:\WINDOWS\dhbrwsr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\DHUpdt.exe" not found!
Deletion of file "C:\WINDOWS\DHUpdt.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\vrygq.exe" not found!
Deletion of file "C:\WINDOWS\vrygq.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\PVM" not found!
Deletion of file "C:\Program Files\PVM" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file ""C:\Program Files\Internet Optimizer"
Deletion of file ""C:\Program Files\Internet Optimizer" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: file "C:\WINDOWS\System32\ippromon.exe" not found!
Deletion of file "C:\WINDOWS\System32\ippromon.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\suploads.exe" not found!
Deletion of file "C:\WINDOWS\suploads.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\mmups.exe" not found!
Deletion of file "C:\WINDOWS\mmups.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\mfyj.exe" not found!
Deletion of file "C:\WINDOWS\mfyj.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\documents and settings\amercaindancer\local settings\temp\Mh4.exe" not found!
Deletion of file "C:\documents and settings\amercaindancer\local settings\temp\Mh4.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\mscache.exe" not found!
Deletion of file "C:\WINDOWS\mscache.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\temp\msbb.exe" not found!
Deletion of file "c:\temp\msbb.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\odeesv.exe" not found!
Deletion of file "C:\WINDOWS\system32\odeesv.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\ojexmtyb.exe" not found!
Deletion of file "C:\WINDOWS\ojexmtyb.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\rk.exe -boot" not found!
Deletion of file "c:\windows\system32\rk.exe -boot" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\prutict.exe" not found!
Deletion of file "C:\WINDOWS\system32\prutict.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\prvtect.exe" not found!
Deletion of file "C:\WINDOWS\system32\prvtect.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: "C:\Program Files\Super Power Icons" is a folder, not a file!
Deletion of file "C:\Program Files\Super Power Icons" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: could not open file "C:\Program Files\SurfSideKick 2\Ssk.exe"
Deletion of file "C:\Program Files\SurfSideKick 2\Ssk.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: file "C:\PROGRA~1\Toolbar" not found!
Deletion of file "C:\PROGRA~1\Toolbar" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\TV Media" not found!
Deletion of file "C:\Program Files\TV Media" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\Updreg.exe" deleted successfully.

Error: file "C:\WINDOWS\System32\wtssvcc.exe" not found!
Deletion of file "C:\WINDOWS\System32\wtssvcc.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\Web_Rebates" not found!
Deletion of file "C:\Program Files\Web_Rebates" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Program Files\WindowsSA" not found!
Deletion of file "C:\Program Files\WindowsSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\PROGRA~1\COMMON~1\WinTools" not found!
Deletion of file "C:\PROGRA~1\COMMON~1\WinTools" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

DSS Main:
Deckard's System Scanner v20071014.68
Run by CurtFess on 2008-05-25 04:08:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).

-- HijackThis (run as CurtFess.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:29 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\CurtFess\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CurtFess.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\opnoNeFV.dll (file missing)
O2 - BHO: (no name) - {FC00DD52-AF6E-4422-9110-586D5DAE7141} - C:\WINDOWS\system32\ljJYSlkj.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: opnoNeFV - opnoNeFV.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.worldofwa...qiraj-1024x.jpg
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 10101 bytes

-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 03:53:19 0 d-------- C:\Program Files\Java
2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files\Java
2008-05-25 03:07:10 315120 --a------ C:\WINDOWS\system32\mlJCSJAR.dll
2008-05-25 02:07:09 315120 --a------ C:\WINDOWS\system32\jkkIyYPF.dll
2008-05-25 01:07:08 315120 --a------ C:\WINDOWS\system32\iifdecaw.dll
2008-05-24 23:43:35 0 d-------- C:\BFU
2008-05-24 23:18:12 315120 --a------ C:\WINDOWS\system32\hgGyvuRj.dll
2008-05-24 13:08:30 315120 --a------ C:\WINDOWS\system32\geBuSJcC.dll
2008-05-22 11:02:23 0 dr-h----- C:\$VAULT$.AVG
2008-05-19 15:34:46 0 d-------- C:\Program Files\Trend Micro
2008-05-16 20:42:36 0 d-------- C:\Documents and Settings\PHAT_MOMMA\Application Data\AVG7
2008-05-15 13:46:59 0 d-------- C:\Program Files\RcvSystem
2008-05-10 20:20:58 0 d-------- C:\WINDOWS\network diagnostic
2008-05-10 14:22:07 0 d-------- C:\Program Files\QdrPack
2008-05-10 14:21:23 0 d-------- C:\Program Files\QdrModule
2008-05-10 14:20:47 0 d-------- C:\Program Files\QdrDrive
2008-05-10 14:20:15 0 d-------- C:\Program Files\ISM

-- Find3M Report ---------------------------------------------------------------

2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files
2008-05-24 11:03:57 0 d-------- C:\Documents and Settings\CurtFess\Application Data\AVG7
2008-05-19 15:02:11 0 d-------- C:\Program Files\AIM+
2008-03-28 09:28:47 0 d-------- C:\Program Files\Armagetron Advanced

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
C:\WINDOWS\system32\opnoNeFV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC00DD52-AF6E-4422-9110-586D5DAE7141}]
C:\WINDOWS\system32\ljJYSlkj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/28/2004 05:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 03:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/21/2005 07:29 PM]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [08/21/2006 01:48 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/15/2007 12:20 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\opnoNeFV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoNeFV]
opnoNeFV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CurtFess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\CurtFess\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]
C:\Program Files\WindowsSA\omniscient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

-- End of Deckard's System Scanner: finished at 2008-05-25 04:09:49 ------------

#11
Tal

Posted 25 May 2008 - 02:17 AM

Trusted Helper

Retired Staff
2,138 posts

Now that's A LOT better. We are nearly clean!

Step1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\opnoNeFV.dll (file missing)
O2 - BHO: (no name) - {FC00DD52-AF6E-4422-9110-586D5DAE7141} - C:\WINDOWS\system32\ljJYSlkj.dll (file missing)
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: opnoNeFV - opnoNeFV.dll (file missing)
O24 - Desktop Component 2: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step2 : The Avenger

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Program Files\QdrPack
C:\Program Files\QdrModule
C:\Program Files\QdrDrive
C:\Program Files\QdrDriv
C:\Program Files\ISM

Registry keys to delete:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log .

Step3 : Updating Java

Upgrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Tal

#12
Breaku

Posted 25 May 2008 - 02:35 AM

Member

Topic Starter
Member
16 posts

Avenger:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun May 25 04:36:01 2008

04:35:58: Error: Invalid registry syntax in command:
"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
04:36:01: Error: Execution aborted by user!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun May 25 04:37:03 2008

04:36:59: Error: Invalid registry syntax in command:
"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Program Files\QdrPack" deleted successfully.
Folder "C:\Program Files\QdrModule" deleted successfully.
Folder "C:\Program Files\QdrDrive" deleted successfully.

Error: folder "C:\Program Files\QdrDriv" not found!
Deletion of folder "C:\Program Files\QdrDriv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Program Files\ISM" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And DSS Main:
Deckard's System Scanner v20071014.68
Run by CurtFess on 2008-05-25 04:43:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).

-- HijackThis (run as CurtFess.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:02 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CurtFess\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CurtFess.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 1: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 9130 bytes

-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 04:37:01 285 --a------ C:\avexport.bat
2008-05-25 04:37:01 448 --a------ C:\1.reg
2008-05-25 03:53:19 0 d-------- C:\Program Files\Java
2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files\Java
2008-05-25 03:07:10 315120 --a------ C:\WINDOWS\system32\mlJCSJAR.dll
2008-05-25 02:07:09 315120 --a------ C:\WINDOWS\system32\jkkIyYPF.dll
2008-05-25 01:07:08 315120 --a------ C:\WINDOWS\system32\iifdecaw.dll
2008-05-24 23:43:35 0 d-------- C:\BFU
2008-05-24 23:18:12 315120 --a------ C:\WINDOWS\system32\hgGyvuRj.dll
2008-05-24 13:08:30 315120 --a------ C:\WINDOWS\system32\geBuSJcC.dll
2008-05-22 11:02:23 0 dr-h----- C:\$VAULT$.AVG
2008-05-19 15:34:46 0 d-------- C:\Program Files\Trend Micro
2008-05-16 20:42:36 0 d-------- C:\Documents and Settings\PHAT_MOMMA\Application Data\AVG7
2008-05-15 13:46:59 0 d-------- C:\Program Files\RcvSystem
2008-05-10 20:20:58 0 d-------- C:\WINDOWS\network diagnostic

-- Find3M Report ---------------------------------------------------------------

2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files
2008-05-24 11:03:57 0 d-------- C:\Documents and Settings\CurtFess\Application Data\AVG7
2008-05-19 15:02:11 0 d-------- C:\Program Files\AIM+
2008-03-28 09:28:47 0 d-------- C:\Program Files\Armagetron Advanced

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/28/2004 05:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 03:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/21/2005 07:29 PM]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [08/21/2006 01:48 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/15/2007 12:20 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CurtFess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\CurtFess\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]
C:\Program Files\WindowsSA\omniscient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

-- End of Deckard's System Scanner: finished at 2008-05-25 04:45:12 ------------

#13
Tal

Posted 25 May 2008 - 02:56 AM

Trusted Helper

Retired Staff
2,138 posts

Nearly done

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process

Please go to Start > Run
Paste in the following line: regedit /e c:\registrybackup.reg
Click OK. It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows SA]

Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Also, are you sure you fixed all entries listed in my previous post with HijackThis? These two are still there, please fix them. If it's still there then something's respawning it, but I can't see anything like that here.

O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O24 - Desktop Component 1: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

Give me a new DSS log when you're done.

#14
Breaku

Posted 25 May 2008 - 04:01 PM

Member

Topic Starter
Member
16 posts

Something must be respawning those two items that you've asked me to remove--I've removed them serveral times.

DSS Main:
Deckard's System Scanner v20071014.68
Run by CurtFess on 2008-05-25 18:09:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).

-- HijackThis (run as CurtFess.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:21 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\CurtFess\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CurtFess.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX25.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.co...etup1.0.0.7.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 1: Intelligent Desktop - intelligentdesktop.com - http://active.intell...ctive/?17974917

--
End of file - 9081 bytes

-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 18:06:42 80758520 --a------ C:\registrybackup.reg
2008-05-25 04:37:01 285 --a------ C:\avexport.bat
2008-05-25 04:37:01 448 --a------ C:\1.reg
2008-05-25 03:53:19 0 d-------- C:\Program Files\Java
2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files\Java
2008-05-25 03:07:10 315120 --a------ C:\WINDOWS\system32\mlJCSJAR.dll
2008-05-25 02:07:09 315120 --a------ C:\WINDOWS\system32\jkkIyYPF.dll
2008-05-25 01:07:08 315120 --a------ C:\WINDOWS\system32\iifdecaw.dll
2008-05-24 23:43:35 0 d-------- C:\BFU
2008-05-24 23:18:12 315120 --a------ C:\WINDOWS\system32\hgGyvuRj.dll
2008-05-24 13:08:30 315120 --a------ C:\WINDOWS\system32\geBuSJcC.dll
2008-05-22 11:02:23 0 dr-h----- C:\$VAULT$.AVG
2008-05-19 15:34:46 0 d-------- C:\Program Files\Trend Micro
2008-05-16 20:42:36 0 d-------- C:\Documents and Settings\PHAT_MOMMA\Application Data\AVG7
2008-05-15 13:46:59 0 d-------- C:\Program Files\RcvSystem
2008-05-10 20:20:58 0 d-------- C:\WINDOWS\network diagnostic

-- Find3M Report ---------------------------------------------------------------

2008-05-25 03:53:11 0 d-------- C:\Program Files\Common Files
2008-05-24 11:03:57 0 d-------- C:\Documents and Settings\CurtFess\Application Data\AVG7
2008-05-19 15:02:11 0 d-------- C:\Program Files\AIM+
2008-03-28 09:28:47 0 d-------- C:\Program Files\Armagetron Advanced

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/28/2004 05:48 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 03:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/21/2005 07:29 PM]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhatPulse"="C:\Program Files\WhatPulse\WhatPulse.exe" [08/21/2006 01:48 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/15/2007 12:20 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CurtFess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\CurtFess\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.EXE 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

-- End of Deckard's System Scanner: finished at 2008-05-25 18:10:25 ------------

#15
Tal

Posted 27 May 2008 - 06:36 AM

Trusted Helper

Retired Staff
2,138 posts

Sorry for the delay in getting back to you. Let's run a deeper scan that will tell us what's going on. Hopefully this will explain why these items keep respawning.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:
- Reg - BotCheck
  File - Additional Folder Scans
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it. Save that file on your desktop for easy access.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button to attach the log.. Click the Browse button, then click the UPLOAD button. The upload should take a couple of seconds to a minute, depending on your connection speed.

Please don't post your log in the reply. It is very long and won't fit into one reply.

Edited by Tal, 27 May 2008 - 06:37 AM.