Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Zlob.trojan plus smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#1
johnny boy

johnny boy

    Member

  • Member
  • PipPipPip
  • 142 posts
Hello, recently i scanned my PC and found several alarmingly bad trojans/viruses, so i set to work trying to get rid of them, and, it seems as if they are gone. I have used G2Go before without outstanding results and thank you very much. I was hoping you could check a HJT log that i've run and make sure im all cleaned up!

Thanks in advance!

Matt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:55, on 5/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34CF6660-9BD3-431A-BA32-6B511D4126DA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6081 bytes
  • 0

Advertisements


#2
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Nevermind...i just ran spybot S&D, and it is still finding the zlob.trojan....i am at a loss now for what to do =(
  • 0

#3
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Matt.. My name is fenzodahl512 and welcome to Geekstogo.. Please do the following..


Please temporarily disable your Spybot Tea-Timer function prior to our fix.. Please visit this webpage if you do not know how..




NEXT


Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

NetProject





NEXT


Using Windows Explorer, please delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Program Files\NetProject




NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: (no name) - {34CF6660-9BD3-431A-BA32-6B511D4126DA} - (no file)
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please restart your computer. Please re-enable your Spybot Tea-Timer function..


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator


Please post Deckard System Scanner log main.txt and extra.txt in separate post..

Regards
fenzodahl512

Edited by fenzodahl512, 31 May 2008 - 02:14 PM.

  • 0

#4
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Here is the main.txt log

Deckard's System Scanner v20071014.68
Run by Matthew on 2008-05-31 07:14:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
26: 2008-05-30 00:29:47 UTC - RP50 - Windows Update
25: 2008-05-29 14:13:57 UTC - RP49 - Device Driver Package Install: Microsoft Bluetooth Radios
24: 2008-05-29 14:13:44 UTC - RP48 - Device Driver Package Install: Microsoft Mice and other pointing devices
23: 2008-05-29 01:45:32 UTC - RP47 - Windows Update
22: 2008-05-28 23:57:52 UTC - RP45 - Removed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-05-22 07:00:34 UTC - RP23 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:15:23, on 5/31/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Matthew\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34CF6660-9BD3-431A-BA32-6B511D4126DA} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6338 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080531-070946-186 R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
backup-20080531-070946-308 O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
backup-20080531-070946-315 O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
backup-20080531-070946-446 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
backup-20080531-070946-617 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
backup-20080531-070946-713 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
backup-20080531-070946-800 O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
backup-20080531-070946-827 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
backup-20080531-070946-837 R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
backup-20080531-070946-912 O2 - BHO: (no name) - {34CF6660-9BD3-431A-BA32-6B511D4126DA} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2648 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2359296 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:46:53 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34CF6660-9BD3-431A-BA32-6B511D4126DA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841}]
AutoRun\command- G:\Autorun.exe /run
Shell00\Command- G:\Autorun.exe /run
Shell01\Command- G:\Autorun.exe /action
Shell02\Command- G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963}]
AutoRun\command- E:\Setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-31 07:17:20 ------------
  • 0

#5
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Here is the extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 3069.02 MiB / 2171.89 MiB
Pagefile Memory (total/avail): 6338.33 MiB / 5475.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1896.04 MiB

C: is Fixed (NTFS) - 222.78 GiB total, 149.92 GiB free.
D: is Fixed (NTFS) - 10 GiB total, 9.73 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (FAT)
H: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2504C - 232.83 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 - Installable File System - 10 GiB - D:
\PARTITION2 (bootable) - Installable File System - 222.78 GiB - C:

\\.\PHYSICALDRIVE2 - Dell USB Mass Storage USB Device

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 980.53 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 988.2 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AS: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Matthew\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATTHEW-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Matthew
LOCALAPPDATA=C:\Users\Matthew\AppData\Local
LOGONSERVER=\\MATTHEW-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Matthew\AppData\Local\Temp
TMP=C:\Users\Matthew\AppData\Local\Temp
USERDOMAIN=Matthew-PC
USERNAME=Matthew
USERPROFILE=C:\Users\Matthew
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Matthew


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE /a C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour Core for Windows --> MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Dell PC Fax --> C:\Program Files\Dell PC Fax\Install\x86\Uninst.exe /R:faxunst
Dell Photo AIO Printer 926 --> C:\Program Files\Dell Photo AIO Printer 926\Install\x86\Uninst.exe
Goombah Partner COM Server --> MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Nvidia Omega Drivers v1.169.25 Setup Files and Tools --> "C:\Windows\Nvidia Omega Drivers v1.169.25 Uninstall.exe" "/U:C:\Program Files\Nvidia Omega Drivers\v1.169.25\Omega Uninstall.xml"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Peggle Extreme --> "C:\Program Files\Steam\steam.exe" steam://uninstall/3483
Ricochet --> "C:\Program Files\Steam\steam.exe" steam://uninstall/60
Ruckus Player --> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VistaGlazz --> MsiExec.exe /X{CCBCD550-D91D-443D-9CF0-0CD02D2FDB95}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1428 / Error
Event Submitted/Written: 05/31/2008 07:14:28 AM
Event ID/Source: 1002 / Application Hang
Event Description:
The program dss.exe version 3.2.8.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: ad0
Start Time: 01c8c30f3d784742
Termination Time: 15

Event Record #/Type1422 / Success
Event Submitted/Written: 05/31/2008 07:11:27 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1421 / Success
Event Submitted/Written: 05/31/2008 07:11:25 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1417 / Success
Event Submitted/Written: 05/31/2008 07:11:15 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1396 / Success
Event Submitted/Written: 05/30/2008 10:54:19 PM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15490 / Warning
Event Submitted/Written: 05/31/2008 07:15:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Matthew-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Matthew-PC27 can't undo changes that you allow.

For more information please see the following:
%Matthew-PC275

Scan ID: {96CFF234-5C36-44E4-BC4D-9C0AE2662F01}

User: Matthew-PC\Matthew

Name: %Matthew-PC271

ID: %Matthew-PC272

Severity ID: %Matthew-PC273

Category ID: %Matthew-PC274

Path Found: %Matthew-PC276

Alert Type: %Matthew-PC278

Detection Type: 1.1.1600.02

Event Record #/Type15489 / Warning
Event Submitted/Written: 05/31/2008 07:15:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Matthew-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Matthew-PC27 can't undo changes that you allow.

For more information please see the following:
%Matthew-PC275

Scan ID: {ADF25BE0-9B08-4459-8EFD-38F604ECAF84}

User: Matthew-PC\Matthew

Name: %Matthew-PC271

ID: %Matthew-PC272

Severity ID: %Matthew-PC273

Category ID: %Matthew-PC274

Path Found: %Matthew-PC276

Alert Type: %Matthew-PC278

Detection Type: 1.1.1600.02

Event Record #/Type15488 / Warning
Event Submitted/Written: 05/31/2008 07:15:34 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Matthew-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Matthew-PC27 can't undo changes that you allow.

For more information please see the following:
%Matthew-PC275

Scan ID: {080D244B-88E7-486A-B40C-F5DABE7D7E40}

User: Matthew-PC\Matthew

Name: %Matthew-PC271

ID: %Matthew-PC272

Severity ID: %Matthew-PC273

Category ID: %Matthew-PC274

Path Found: %Matthew-PC276

Alert Type: %Matthew-PC278

Detection Type: 1.1.1600.02

Event Record #/Type15487 / Warning
Event Submitted/Written: 05/31/2008 07:15:32 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Matthew-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Matthew-PC27 can't undo changes that you allow.

For more information please see the following:
%Matthew-PC275

Scan ID: {76FD0D05-E20F-4B88-9958-7F767B4DCCF5}

User: Matthew-PC\Matthew

Name: %Matthew-PC271

ID: %Matthew-PC272

Severity ID: %Matthew-PC273

Category ID: %Matthew-PC274

Path Found: %Matthew-PC276

Alert Type: %Matthew-PC278

Detection Type: 1.1.1600.02

Event Record #/Type15486 / Warning
Event Submitted/Written: 05/31/2008 07:15:32 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Matthew-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Matthew-PC27 can't undo changes that you allow.

For more information please see the following:
%Matthew-PC275

Scan ID: {25BE2CE7-B582-4B46-996C-2A677C0904A1}

User: Matthew-PC\Matthew

Name: %Matthew-PC271

ID: %Matthew-PC272

Severity ID: %Matthew-PC273

Category ID: %Matthew-PC274

Path Found: %Matthew-PC276

Alert Type: %Matthew-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-05-31 07:17:20 ------------


Also, the net project was not in add/remove OR windows explorer.

Thanks again for your assistance.
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Lets do this..


Please restart your computer in Safe Mode. Retart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Choose Safe Mode and please log in by using your regular account.


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: (no name) - {34CF6660-9BD3-431A-BA32-6B511D4126DA} - (no file)
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please restart your computer into Normal Mode. Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Please post the following logs in your next reply. Please post each log in separate post..

1. MalwareBytes' Anti-Malware
2. Deckard System Scanner (after MalwareBytes' step)



p/s: Have something to do now.. I'll be back tomorrow :)


Regards
fenzodahl512
  • 0

#7
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34cf6660-9bd3-431a-ba32-6b511d4126da} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\e405.e405mgr (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Matthew\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Users\Matthew\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Users\Matthew\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
C:\Users\Matthew\My Documents\My Documents.url (Trojan.Zlob) -> No action taken.
  • 0

#8
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Deckard's System Scanner v20071014.68
Run by Matthew on 2008-06-01 04:14:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:14:07, on 6/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Matthew\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6285 bytes

-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-05-31 12:13:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2648 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2621440 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-05-31 12:13:33 0 d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:46:53 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841}]
AutoRun\command- G:\Autorun.exe /run
Shell00\Command- G:\Autorun.exe /run
Shell01\Command- G:\Autorun.exe /action
Shell02\Command- G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963}]
AutoRun\command- E:\Setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-01 04:15:27 ------------

Thanks for the help!

Think that bugger is still in there though....tough little guy...
  • 0

#9
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Johnny, thanks for the reply.. It seems that you have run MalwareBytes' but you forget to remove the infections found :)

That's ok.. Please run MalwareBytes' again and this time make sure every infections box is checked and then click on Remove Selected button..

Then, please post the new MalwareBytes' result with a fresh Deckard System Scanner log here... I'll be waiting for you :)


Regards
fenzodahl512
  • 0

#10
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Malwarebytes' Anti-Malware 1.14
Database version: 811

06:00:18 6/2/2008
mbam-log-6-2-2008 (06-00-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 127158
Time elapsed: 27 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Opps, sorry about that. Ha
  • 0

Advertisements


#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ah.. that's better.. Now, a fresh DSS log please.. Thank you :)
  • 0

#12
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Sorry for the delays! Been really busy as of late..will have that DSS log posted soon as possible!
  • 0

#13
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. will wait for you :)
  • 0

#14
johnny boy

johnny boy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Deckard's System Scanner v20071014.68
Run by Matthew on 2008-06-03 20:04:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Matthew.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:39, on 6/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Users\Matthew\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Matthew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 8" RUNSETUPXU="1" UPGRADE="1"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6239 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-05-31 12:13:26 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-31 12:13:25 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 21:49:51 1409 --a------ C:\Windows\mozver.dat
2008-05-29 10:13:33 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-29 06:56:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-28 19:01:51 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-28 19:00:10 0 d-------- C:\Program Files\Trend Micro
2008-05-28 18:25:36 0 d-------- C:\VundoFix Backups
2008-05-28 18:19:43 2648 --a------ C:\Windows\system32\tmp.reg
2008-05-28 18:16:43 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-28 18:16:43 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-28 18:16:43 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-28 18:16:43 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-28 18:16:43 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 18:16:43 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-28 18:16:43 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-28 09:06:16 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 08:29:07 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 08:29:04 0 d-------- C:\Users\All Users\avg8
2008-05-28 08:29:04 0 d-------- C:\Program Files\AVG
2008-05-28 08:20:59 0 d-------- C:\Program Files\Enigma Software Group
2008-05-28 07:56:53 0 d-------- C:\Windows\Content.IE5
2008-05-27 23:35:32 0 d-------- C:\Users\All Users\Lavasoft
2008-05-27 23:35:32 0 d-------- C:\Program Files\Lavasoft
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 23:30:39 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 23:29:58 0 d-------- C:\Users\All Users\Xfire
2008-05-26 23:29:58 0 d-------- C:\Program Files\Xfire
2008-05-26 22:13:09 0 d-------- C:\Program Files\Logitech
2008-05-26 14:00:06 0 d-------- C:\Program Files\Dl_cats
2008-05-26 13:59:26 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-26 13:59:21 0 d-------- C:\Program Files\Dell
2008-05-26 13:58:45 45056 --a------ C:\Windows\system32\DLPRMON.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:45 32768 --a------ C:\Windows\system32\DLPMONUI.DLL <Not Verified; ; Dell Fax Solutions Software>
2008-05-26 13:58:25 98345 --a------ C:\Windows\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:25 339968 --a------ C:\Windows\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-05-26 13:58:24 0 d-------- C:\Users\All Users\DellFaxCtr
2008-05-26 13:58:20 0 d-------- C:\Program Files\Dell PC Fax
2008-05-26 13:58:16 274432 --a------ C:\Windows\system32\dlcxinst.dll
2008-05-26 13:58:16 323584 --a------ C:\Windows\system32\dlcxhcp.dll <Not Verified; ; Printer Communication System>
2008-05-26 13:58:16 0 d-------- C:\Program Files\Dell Photo AIO Printer 926
2008-05-25 21:34:13 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-25 18:10:47 0 d-------- C:\Users\All Users\Steam
2008-05-25 18:10:32 0 d-------- C:\Users\All Users\PopCap Games
2008-05-25 17:30:07 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-05-25 17:20:27 0 d-------- C:\Program Files\DIFX
2008-05-25 03:00:27 0 d-------- C:\Program Files\MSXML 4.0
2008-05-23 20:43:40 0 d-------- C:\Ubuntu
2008-05-23 20:20:53 0 d-------- C:\Users\All Users\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Nero
2008-05-23 20:20:53 0 d-------- C:\Program Files\Common Files\Nero
2008-05-22 23:08:35 0 d-------- C:\Program Files\CodeGazer
2008-05-22 22:38:01 0 --a------ C:\Windows\nsreg.dat
2008-05-22 18:29:40 0 d-------- C:\Windows\nvidia icons
2008-05-21 18:42:53 0 d-------- C:\Program Files\Bonjour
2008-05-21 18:42:22 0 d-------- C:\Program Files\Emergent Music LLC
2008-05-21 18:41:37 0 d-------- C:\Program Files\Ruckus Player
2008-05-21 18:28:41 0 d-------- C:\Program Files\uTorrent
2008-05-20 23:58:55 0 d-------- C:\Windows\Panther
2008-05-20 23:58:13 0 d-------- C:\Windows\system32\OEM
2008-05-20 23:58:13 34 -rah----- C:\Windows\DELL_VERSION
2008-05-20 23:04:14 0 d-------- C:\Windows\SoftwareDistribution
2008-05-20 23:03:01 0 d-------- C:\Windows\Debug
2008-05-20 22:59:48 0 d-------- C:\Windows\Prefetch
2008-05-20 22:29:43 0 d-------- C:\Windows\system32\Macromed
2008-05-20 22:20:07 0 d-------- C:\Program Files\Common Files\Steam
2008-05-20 22:20:06 0 d-------- C:\Program Files\Steam
2008-05-20 22:07:58 0 d-------- C:\Users\All Users\NVIDIA
2008-05-20 21:48:14 1726 --a------ C:\Windows\ndinst.exe
2008-05-20 21:48:14 0 -rahs---- C:\MSDOS.SYS
2008-05-20 21:48:14 0 -rahs---- C:\IO.SYS
2008-05-20 21:33:14 15781 --a------ C:\Windows\system32\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-05-20 21:33:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 21:32:57 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-20 21:08:41 0 d-------- C:\Users\All Users\Adobe
2008-05-20 20:53:36 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:52:58 0 d--hs---- C:\Windows\Installer
2008-05-20 20:52:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-20 20:31:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-20 20:14:46 0 dr------- C:\Users\Matthew\Searches
2008-05-20 20:14:38 0 dr------- C:\Users\Matthew\Contacts
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Templates
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Start Menu
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\SendTo
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Recent
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\PrintHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\NetHood
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\My Documents
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Local Settings
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Cookies
2008-05-20 20:14:34 0 d--hs---- C:\Users\Matthew\Application Data
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Videos
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Saved Games
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Pictures
2008-05-20 20:14:33 2621440 --ahs---- C:\Users\Matthew\NTUSER.DAT
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Music
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Links
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Favorites
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Downloads
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Documents
2008-05-20 20:14:33 0 dr------- C:\Users\Matthew\Desktop
2008-05-20 20:14:33 0 d--h----- C:\Users\Matthew\AppData
2008-05-18 23:17:36 0 d-------- C:\NVIDIA


-- Find3M Report ---------------------------------------------------------------

2008-05-31 12:13:33 0 d-------- C:\Users\Matthew\AppData\Roaming\Malwarebytes
2008-05-28 18:20:19 35 --a------ C:\Users\Matthew\AppData\Roaming\SetValue.bat
2008-05-28 18:20:19 691 --a------ C:\Users\Matthew\AppData\Roaming\GetValue.vbs
2008-05-28 00:17:21 0 d-------- C:\Users\Matthew\AppData\Roaming\DellFaxCtr
2008-05-27 23:35:01 0 d-------- C:\Program Files\Common Files
2008-05-27 23:22:09 0 d-------- C:\Users\Matthew\AppData\Roaming\Xfire
2008-05-25 23:47:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Adobe
2008-05-25 21:50:38 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Mail
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-25 21:45:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 21:45:05 0 d-------- C:\Program Files\Movie Maker
2008-05-25 21:45:02 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:46:53 0 d-------- C:\Users\Matthew\AppData\Roaming\uTorrent
2008-05-23 20:21:55 0 d-------- C:\Users\Matthew\AppData\Roaming\Nero
2008-05-22 22:37:59 0 d-------- C:\Users\Matthew\AppData\Roaming\Mozilla
2008-05-21 19:22:12 0 d-------- C:\Users\Matthew\AppData\Roaming\goombah
2008-05-21 18:43:56 0 d-------- C:\Users\Matthew\AppData\Roaming\Ruckus Network
2008-05-20 22:29:44 0 d-------- C:\Users\Matthew\AppData\Roaming\Macromedia
2008-05-20 21:09:08 0 d-------- C:\Users\Matthew\AppData\Roaming\AdobeUM
2008-05-20 20:14:39 0 d-------- C:\Users\Matthew\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 23:38]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"RestartNeroSetup"="C:\Users\Matthew\AppData\Local\Temp\OnlineUpdate8\SetupXu.exe" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [05/02/2008 22:46]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [05/02/2008 22:46]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [11/03/2006 18:09]
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [01/12/2007 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [11/03/2006 18:04]
"DLCXCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [10/16/2006 01:31]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/28/2008 08:29]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [05/26/2008 22:13]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 23:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3738"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD983"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [5/26/2008 22:13:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841}]
AutoRun\command- G:\Autorun.exe /run
Shell00\Command- G:\Autorun.exe /run
Shell01\Command- G:\Autorun.exe /action
Shell02\Command- G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963}]
AutoRun\command- E:\Setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-03 20:05:57 ------------
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello johnny boy.. it looks like those entries are really stubborn.. Now please do this...


Please disable your Spybot S&D and Windows Defender prior to our fix.. Please visit this webpage if you do not know how..

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O3 - Toolbar: (no name) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB3738] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


Please restart your computer. Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Program Files\NetProject
    G:\Autorun.exe
    H:\LaunchU3.exe
    E:\Setup.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52daf334-26d6-11dd-86d7-0019d1405841}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c04fd80-2cfe-11dd-bba4-001839142802}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb233278-26e1-11dd-ad00-806e6f6e6963}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingB3738
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\\SpybotDeletingD983
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{51D81DD5-55B7-497F-95DB-D356429BB54E}
    HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please delete your outdated version of SmitfraudFix. Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


Please restart your computer in Normal Mode and re-enable your Spybot S&D and Windows Defender..


Please post the following logs in your next reply...

1. OTMoveIt2
2. SmitfraudFix
3. a fresh DSS log (after SmitfraudFix step)



Regards
fenzodahl512
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP