Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan-spy.win32.mx HELP [RESOLVED]

Started by helplessinchicago , May 31 2008 09:45 PM

This topic is locked

#1
helplessinchicago

Posted 31 May 2008 - 09:45 PM

New Member

Member
8 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:45:38, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NetProject\sbsm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\NetProject\sbsm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
C:\Program Files\NetProject\sbsm.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {13D9FCD5-8786-452B-8424-D27D3D5B5C38} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {9333b58a-e04c-2dfa-4964-26271e198193} - {391891e1-7262-4694-afd2-c40ea85b3339} - C:\WINDOWS\system32\jvhyricq.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-95DB40C9A285} - C:\WINDOWS\system32\ljjhigh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163995951109
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - Winlogon Notify: ljjhigh - ljjhigh.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

#2
Rorschach112

Posted 01 June 2008 - 10:19 AM

Ralphie

Retired Staff
47,710 posts

Why won't SmitfraudFix run ?

Lets try it once more, delete the SmitfraudFix.exe you have and do this

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

#3
helplessinchicago

Posted 01 June 2008 - 03:48 PM

New Member

Topic Starter
Member
8 posts

I tried this before and just tried it again. I click on it and an hour glass appears, then something kills it. the hour glass just goes away. I tried turning off Trend Micro and everything...not sure why.

#4
Rorschach112

Posted 01 June 2008 - 04:01 PM

Ralphie

Retired Staff
47,710 posts

Do this

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#5
helplessinchicago

Posted 01 June 2008 - 09:37 PM

New Member

Topic Starter
Member
8 posts

When I tried to run combo fix, I got anerror message saying that windows can not open this file: nircmd.com and asks me to use the webservices or select a program from the list...but neither works.

#6
Rorschach112

Posted 02 June 2008 - 06:20 AM

Ralphie

Retired Staff
47,710 posts

Do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#7
helplessinchicago

Posted 02 June 2008 - 01:58 PM

New Member

Topic Starter
Member
8 posts

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-02 14:49:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
36: 2008-04-28 13:43:52 UTC - RP45 - System Checkpoint
35: 2008-04-27 12:53:26 UTC - RP44 - System Checkpoint
34: 2008-04-26 12:41:18 UTC - RP43 - System Checkpoint
33: 2008-04-25 10:50:36 UTC - RP42 - System Checkpoint
32: 2008-04-24 15:18:35 UTC - RP41 - System Checkpoint

-- First Restore Point --
1: 2008-03-25 23:14:18 UTC - RP10 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50:51, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\NetProject\sbsm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {13D9FCD5-8786-452B-8424-D27D3D5B5C38} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {9333b58a-e04c-2dfa-4964-26271e198193} - {391891e1-7262-4694-afd2-c40ea85b3339} - C:\WINDOWS\system32\jvhyricq.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-95DB40C9A285} - C:\WINDOWS\system32\ljjhigh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163995951109
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - Winlogon Notify: ljjhigh - ljjhigh.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9334 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080228-220708-196 O2 - BHO: (no name) - {451692E8-E49F-471E-B230-D36C4A3C7374} - (no file)
backup-20080228-220708-207 O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
backup-20080228-220708-298 O3 - Toolbar: FLYLADY BenefitBar - {E19E589B-749F-4641-9ED3-032DEB7A8D92} - C:\Program Files\BenefitBarIE\benefitbar.dll
backup-20080228-220708-332 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
backup-20080228-220708-411 O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip....bGameLoader.cab
backup-20080228-220708-614 O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
backup-20080228-220708-654 O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
backup-20080228-220708-697 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wideopenw...metro/index.htm
backup-20080228-220708-796 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
backup-20080228-220708-832 O2 - BHO: (no name) - {EE2D7E5A-B838-1E63-5CDC-16D4097E29E3} - (no file)
backup-20080228-220708-961 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
backup-20080228-220708-967 O3 - Toolbar: (no name) - {2E758911-64CB-45F8-A661-E70B8D19DE93} - (no file)
backup-20080228-220709-461 O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.c...PUploader45.cab
backup-20080228-220709-465 O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.ritzpix.c...geUploader3.cab
backup-20080228-220709-666 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
backup-20080228-220709-825 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
backup-20080228-220710-146 O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - http://www.plaxo.com...upldr-2k-xp.cab
backup-20080228-220710-305 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
backup-20080228-220710-318 O18 - Protocol hijack: mhtml -
backup-20080228-220710-706 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
backup-20080228-220710-918 O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.shockwave...HLGLauncher.cab
backup-20080229-152134-114 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
backup-20080229-152134-512 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
backup-20080229-152134-832 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
backup-20080229-152134-854 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
backup-20080229-152135-131 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
backup-20080229-152135-208 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
backup-20080229-152135-407 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
backup-20080229-152135-560 O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
backup-20080229-152135-823 O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"

-- File Associations -----------------------------------------------------------

.bat - unable to read key
.bat - unable to read key
.bat - unable to read key
.cmd - unable to read key
.cmd - unable to read key
.cmd - unable to read key
.chm - unable to read key
.chm - unable to read key
.com - unable to read key
.com - unable to read key
.cpl - unable to read key
.cpl - unable to read key

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 neokdss - c:\windows\system32\drivers\neokdss.sys (file missing)

S2 windev-757d-1af - c:\windows\system32\windev-757d-1af.sys (file missing)
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\32.tmp (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S4 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-02 14:49:00 494 --a------ C:\WINDOWS\Tasks\ (GATEWAY-6R0ITBA-Owner).job
2008-05-21 23:07:04 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 22:04:02 0 d-------- C:\327882R2FWJFW
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-30 14:07:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-30 14:07:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-30 14:07:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-30 14:07:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-29 23:23:31 0 d-------- C:\WINDOWS\system32\824223
2008-05-29 23:23:19 0 d-------- C:\Program Files\NetProject

-- Find3M Report ---------------------------------------------------------------

2008-06-02 10:09:48 192512 --a------ C:\WINDOWS\system32\kdfvmgr.exe <Not Verified; ??????; ?????? KdfVMgr>
2008-06-02 10:09:48 53248 --a------ C:\WINDOWS\system32\Kdfhok.dll <Not Verified; Kings Information & Network; Kings kdfhok>
2008-06-02 10:09:48 77824 --a------ C:\WINDOWS\system32\kdfapi.dll <Not Verified; Kings Information & Network; lab kdfapi>
2008-05-31 22:21:56 0 d-------- C:\Program Files\Web Publish
2008-05-18 00:17:10 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-24 09:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 13:43:24 0 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-02 13:37:15 0 d-------- C:\Program Files\Sierra Online
2008-04-02 13:37:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 13:36:01 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-27 22:45:04 1976 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-16 18:30:34 228920 --ahs---- C:\WINDOWS\system32\ybadd.ini2
2008-03-16 18:28:27 6679 --a------ C:\WINDOWS\system32\lxsassok.dll
2008-03-16 18:25:28 6693 --a------ C:\WINDOWS\system32\xbuclmvc.dll
2008-03-16 18:22:37 6683 --a------ C:\WINDOWS\system32\jxrgsgww.dll
2008-03-16 17:28:31 6679 --a------ C:\WINDOWS\system32\mhgwycon.dll
2008-03-16 17:25:27 6693 --a------ C:\WINDOWS\system32\hlxerhet.dll
2008-03-16 17:22:28 6683 --a------ C:\WINDOWS\system32\vpaodnro.dll
2008-03-16 16:25:28 6679 --a------ C:\WINDOWS\system32\sdhxymxg.dll
2008-03-16 16:22:27 6693 --a------ C:\WINDOWS\system32\lxobecxm.dll
2008-03-16 16:20:29 6683 --a------ C:\WINDOWS\system32\tdkfkwan.dll
2008-03-16 15:41:57 849920 --a------ C:\WINDOWS\system32\kdfinj.dll <Not Verified; Bluegem Security; LocalSSL kdfinj Library>
2008-03-15 09:32:10 11008 --a------ C:\WINDOWS\voiceip.dll
2008-03-15 09:32:10 15104 --a------ C:\WINDOWS\swin32.dll
2008-03-15 09:32:10 31232 --a------ C:\WINDOWS\stcloader.exe
2008-03-15 09:32:10 13056 --a------ C:\WINDOWS\cdsm32.dll
2008-03-15 09:32:09 22528 --a------ C:\WINDOWS\mssvr.exe
2008-03-15 09:32:09 18688 --a------ C:\WINDOWS\mspphe.dll
2008-03-15 09:32:09 29440 --a------ C:\WINDOWS\bokja.exe
2008-03-15 09:32:09 15360 --a------ C:\WINDOWS\bjam.dll
2008-03-15 09:32:09 17408 --a------ C:\WINDOWS\2020search2.dll
2008-03-15 09:32:09 9984 --a------ C:\WINDOWS\2020search.dll
2008-03-15 09:32:08 17664 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-03-15 09:32:08 24832 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-03-15 09:32:07 20992 --a------ C:\WINDOWS\updatetc.exe
2008-03-15 09:32:07 27136 --a------ C:\WINDOWS\salm.exe
2008-03-15 09:32:07 14592 --a------ C:\WINDOWS\180ax.exe
2008-03-15 09:32:06 18688 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-15 09:32:06 15360 --a------ C:\WINDOWS\saiemod.dll
2008-03-15 09:32:06 15616 --a------ C:\WINDOWS\msapasrc.dll
2008-03-15 09:32:06 12032 --a------ C:\WINDOWS\msa64chk.dll
2008-03-15 09:32:05 26112 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-15 09:32:05 10496 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-15 09:32:05 30720 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-15 09:32:04 23808 --a------ C:\WINDOWS\winsb.dll
2008-03-15 09:32:04 17152 --a------ C:\WINDOWS\shdocpl.dll
2008-03-15 09:32:04 11008 --a------ C:\WINDOWS\shdocpe.dll
2008-03-15 09:32:04 10240 --a------ C:\WINDOWS\ntnut.exe
2008-03-15 09:32:04 13312 --a------ C:\WINDOWS\browserad.dll
2008-03-15 09:32:04 10496 --a------ C:\WINDOWS\aviwrap32.dll
2008-03-15 09:32:04 13568 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-15 09:32:03 16896 --a------ C:\WINDOWS\avifile32.dll
2008-03-15 09:32:03 28672 --a------ C:\WINDOWS\autodisc32.dll
2008-03-15 09:32:03 10240 --a------ C:\WINDOWS\audiosrv32.dll
2008-03-15 09:32:03 21248 --a------ C:\WINDOWS\ati2dvag32.dll
2008-03-15 09:32:03 25600 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-03-15 09:32:03 32000 --a------ C:\WINDOWS\athprxy32.dll
2008-03-15 09:32:02 32000 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-15 09:32:02 23808 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-15 09:32:02 20736 --a------ C:\WINDOWS\asferror32.dll
2008-03-15 09:32:02 19968 --a------ C:\WINDOWS\apphelp32.dll
2008-03-15 09:21:40 63 --a------ C:\WINDOWS\system32\b093145a
2008-03-14 23:57:31 9292 --a------ C:\WINDOWS\system32\000060.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13D9FCD5-8786-452B-8424-D27D3D5B5C38}]
C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{391891e1-7262-4694-afd2-c40ea85b3339}]
C:\WINDOWS\system32\jvhyricq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75A469FF-0681-4EC3-8CEC-95DB40C9A285}]
C:\WINDOWS\system32\ljjhigh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
06/02/2008 10:06 7680 --a------ C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
09/16/2007 09:21 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 16:57]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 00:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/12/2007 03:55]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\NetProject\scit.exe
"start"=C:\Program Files\NetProject\sbmntr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{75A469FF-0681-4EC3-8CEC-95DB40C9A285}"= C:\WINDOWS\system32\ljjhigh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhigh]
ljjhigh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=C:\WINDOWS\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C]
C:\WINDOWS\System32\Xygw9V5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\37FU37Q]
sletmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareProMFC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxf.exe]
C:\WINDOWS\system32\appxf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atlzw32.exe]
C:\WINDOWS\system32\atlzw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader30wo1JNUdZPU]
"C:\WINDOWS\System32\sletmon.exe" /PC="AM.WILD" /HideUninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLMessagingIntegration]
C:\Program Files\Common Files\PSD Tools\blengine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iemn32.exe]
C:\WINDOWS\system32\iemn32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iww8RXc4i]
jgsisrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
"C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqn7hy]
C:\Documents and Settings\Owner\Local Settings\Temp\xqn7hy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

-- End of Deckard's System Scanner: finished at 2008-06-02 14:51:54 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 494.73 MiB / 166.61 MiB
Pagefile Memory (total/avail): 1155.57 MiB / 839.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.77 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.79 GiB total, 76.97 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BB-53DWA0 - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.79 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Trend Micro Personal Firewall v5.2 (Trend Micro Inc.) Disabled
AV: Trend Micro Internet Security Pro v16.10.1079 () Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GATEWAY-6R0ITBA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\GATEWAY-6R0ITBA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=GATEWAY-6R0ITBA
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Adobe® Photoshop® Album Starter Edition 3.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
BlackBerry Desktop Software 4.2 --> MsiExec.exe /i{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}
BlackBerry Desktop Software 4.2 --> MsiExec.exe /I{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Finding Nemo: Nemo's Underwater World of Fun --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BCB8D603-985E-4765-B4AB-B4B991A535B7} NemoUWFUninstall
Gateway Drivers and Applications Recovery --> C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
Gateway IE Customizations --> C:\Program Files\\Gateway\IECustom\IEProj.exe UNINSTALL
Gateway Ink Monitor --> MsiExec.exe /X{F10082FE-BACB-4E58-A423-DAD6BFC8B3A2}
Gateway Rhapsody --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 20BBF229-A337-40AD-9FEB-2C98CDA53D1C /Prompt
Gateway User's Guide --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 0755407D-BE9E-4D24-8FE4-39C2FBED6FA8 /Prompt
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe" /uninstall
Hooked on Phonics Letter Names --> C:\WINDOWS\unvise32.exe C:\Program Files\Hooked on Phonics Learning\Hooked on Phonics Letter Names\uninstal.log
Hooked on Phonics Letter Sounds --> C:\WINDOWS\unvise32.exe C:\Program Files\Hooked on Phonics Learning\Hooked on Phonics Letter Sounds\uninstal.log
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe CeS
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Service --> "C:\Program Files\NetProject\waun.exe"
Island Wars 2 Free Trial --> "C:\Program Files\IslandWars2_at\unins000.exe"
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_6375950\Setup.exe /APR-REMOVE
LEGO Star Wars II --> C:\Program Files\InstallShield Installation Information\{578FA426-47C0-4A3F-98A4-01ACD26B7556}\setup.exe -runfromtemp -l0x0409
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0054-0409-0000-0000000FF1CE} /uninstall {EA35370F-586C-45E1-AC6C-A4E275C6B762}
Microsoft Office Visio 2007 Service Pack 1 (SP1) --> msiexec /package {91120000-0051-0000-0000-0000000FF1CE} /uninstall {AA4F2610-5FF1-4DCD-A6FB-BCA2D09A6443}
Microsoft Office Visio MUI (English) 2007 --> MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007 --> MsiExec.exe /X{91120000-0051-0000-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPROR /dll OSETUP.DLL
Microsoft Picture It! Photo Premium 9 --> C:\WINDOWS\System32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe /ARP D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Office 2003 Setup Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BD74F5D-4089-4064-B6AF-8E8A93022650}\setup.exe" -l0x9
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Platypus 1.12 --> "C:\Program Files\Platypus Free Trial\unins000.exe"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealArcade --> "c:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "c:\Program Files\RealArcade\Installer\installerMain.clf" "c:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Red Baron Arcade --> C:\Program Files\InstallShield Installation Information\{B27DE086

#8
Rorschach112

Posted 02 June 2008 - 03:24 PM

Ralphie

Retired Staff
47,710 posts

Hello

Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then Click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {13D9FCD5-8786-452B-8424-D27D3D5B5C38} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: {9333b58a-e04c-2dfa-4964-26271e198193} - {391891e1-7262-4694-afd2-c40ea85b3339} - C:\WINDOWS\system32\jvhyricq.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-95DB40C9A285} - C:\WINDOWS\system32\ljjhigh.dll (file missing)
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O20 - Winlogon Notify: ljjhigh - ljjhigh.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\WINDOWS\system32\mgmrwmrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}
C:\WINDOWS\system32\824223
C:\Program Files\NetProject
C:\WINDOWS\system32\kdfvmgr.exe 
C:\WINDOWS\system32\Kdfhok.dll 
C:\WINDOWS\system32\kdfapi.dll
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\lxsassok.dll
C:\WINDOWS\system32\xbuclmvc.dll
C:\WINDOWS\system32\jxrgsgww.dll
C:\WINDOWS\system32\mhgwycon.dll
C:\WINDOWS\system32\hlxerhet.dll
C:\WINDOWS\system32\vpaodnro.dll
C:\WINDOWS\system32\sdhxymxg.dll
C:\WINDOWS\system32\lxobecxm.dll
C:\WINDOWS\system32\tdkfkwan.dll
C:\WINDOWS\system32\kdfinj.dll 
C:\WINDOWS\voiceip.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\winsb.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\system32\b093145a
C:\WINDOWS\system32\000060.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C
C:\WINDOWS\System32\Xygw9V5.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\37FU37Q
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareProMFC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxf.exe
C:\WINDOWS\system32\appxf.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atlzw32.exe
C:\WINDOWS\system32\atlzw32.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader30wo1JNUdZPU
C:\WINDOWS\System32\sletmon.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iemn32.exe
C:\WINDOWS\system32\iemn32.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iww8RXc4i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
C:\PROGRA~1\MYWEBS~1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqn7hy
C:\Documents and Settings\Owner\Local Settings\Temp\xqn7hy.exe
purity 
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot and post a new DSS log

#9
helplessinchicago

Posted 02 June 2008 - 08:44 PM

New Member

Topic Starter
Member
8 posts

I think we are seeing progress. Thanks so much for your help. Is it clean??

logs below

1. DAFT Log saved on 2008-06-02 21:28:38
-----------------------------------------------------------------------
All associations okay!

2. Move It log
Explorer killed successfully
File/Folder C:\WINDOWS\system32\mgmrwmrv.exe not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780} >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}\\ deleted successfully.
C:\WINDOWS\system32\824223 moved successfully.
Folder move failed. C:\Program Files\NetProject scheduled to be moved on reboot.
C:\WINDOWS\system32\kdfvmgr.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\Kdfhok.dll
C:\WINDOWS\system32\Kdfhok.dll NOT unregistered.
C:\WINDOWS\system32\Kdfhok.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kdfapi.dll
C:\WINDOWS\system32\kdfapi.dll NOT unregistered.
C:\WINDOWS\system32\kdfapi.dll moved successfully.
C:\WINDOWS\DCEBoot.exe moved successfully.
C:\WINDOWS\system32\ybadd.ini2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\lxsassok.dll
C:\WINDOWS\system32\lxsassok.dll NOT unregistered.
C:\WINDOWS\system32\lxsassok.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\xbuclmvc.dll
C:\WINDOWS\system32\xbuclmvc.dll NOT unregistered.
C:\WINDOWS\system32\xbuclmvc.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\jxrgsgww.dll
C:\WINDOWS\system32\jxrgsgww.dll NOT unregistered.
C:\WINDOWS\system32\jxrgsgww.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\mhgwycon.dll
C:\WINDOWS\system32\mhgwycon.dll NOT unregistered.
C:\WINDOWS\system32\mhgwycon.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\hlxerhet.dll
C:\WINDOWS\system32\hlxerhet.dll NOT unregistered.
C:\WINDOWS\system32\hlxerhet.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\vpaodnro.dll
C:\WINDOWS\system32\vpaodnro.dll NOT unregistered.
C:\WINDOWS\system32\vpaodnro.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\sdhxymxg.dll
C:\WINDOWS\system32\sdhxymxg.dll NOT unregistered.
C:\WINDOWS\system32\sdhxymxg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\lxobecxm.dll
C:\WINDOWS\system32\lxobecxm.dll NOT unregistered.
C:\WINDOWS\system32\lxobecxm.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\tdkfkwan.dll
C:\WINDOWS\system32\tdkfkwan.dll NOT unregistered.
C:\WINDOWS\system32\tdkfkwan.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kdfinj.dll
C:\WINDOWS\system32\kdfinj.dll NOT unregistered.
C:\WINDOWS\system32\kdfinj.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\voiceip.dll
C:\WINDOWS\voiceip.dll NOT unregistered.
C:\WINDOWS\voiceip.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\swin32.dll
C:\WINDOWS\swin32.dll NOT unregistered.
C:\WINDOWS\swin32.dll moved successfully.
C:\WINDOWS\stcloader.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cdsm32.dll NOT unregistered.
C:\WINDOWS\cdsm32.dll moved successfully.
C:\WINDOWS\mssvr.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mspphe.dll
C:\WINDOWS\mspphe.dll NOT unregistered.
C:\WINDOWS\mspphe.dll moved successfully.
C:\WINDOWS\bokja.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\bjam.dll
C:\WINDOWS\bjam.dll NOT unregistered.
C:\WINDOWS\bjam.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search2.dll NOT unregistered.
C:\WINDOWS\2020search2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search.dll NOT unregistered.
C:\WINDOWS\2020search.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\WER8274.DLL NOT unregistered.
C:\WINDOWS\system32\WER8274.DLL moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\MSIXU.DLL NOT unregistered.
C:\WINDOWS\system32\MSIXU.DLL moved successfully.
C:\WINDOWS\updatetc.exe moved successfully.
C:\WINDOWS\salm.exe moved successfully.
C:\WINDOWS\180ax.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\MSNSA32.dll NOT unregistered.
C:\WINDOWS\system32\MSNSA32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\saiemod.dll
C:\WINDOWS\saiemod.dll NOT unregistered.
C:\WINDOWS\saiemod.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msapasrc.dll NOT unregistered.
C:\WINDOWS\msapasrc.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msa64chk.dll NOT unregistered.
C:\WINDOWS\msa64chk.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\SIPSPI32.dll NOT unregistered.
C:\WINDOWS\system32\SIPSPI32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\shdocpe.dll NOT unregistered.
C:\WINDOWS\system32\shdocpe.dll moved successfully.
C:\WINDOWS\system32\ntnut32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\winsb.dll
C:\WINDOWS\winsb.dll NOT unregistered.
C:\WINDOWS\winsb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpl.dll NOT unregistered.
C:\WINDOWS\shdocpl.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpe.dll NOT unregistered.
C:\WINDOWS\shdocpe.dll moved successfully.
C:\WINDOWS\ntnut.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\browserad.dll
C:\WINDOWS\browserad.dll NOT unregistered.
C:\WINDOWS\browserad.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\aviwrap32.dll NOT unregistered.
C:\WINDOWS\aviwrap32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avisynthex32.dll NOT unregistered.
C:\WINDOWS\avisynthex32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\avifile32.dll
C:\WINDOWS\avifile32.dll NOT unregistered.
C:\WINDOWS\avifile32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\autodisc32.dll
C:\WINDOWS\autodisc32.dll NOT unregistered.
C:\WINDOWS\autodisc32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\audiosrv32.dll NOT unregistered.
C:\WINDOWS\audiosrv32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvag32.dll NOT unregistered.
C:\WINDOWS\ati2dvag32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvaa32.dll NOT unregistered.
C:\WINDOWS\ati2dvaa32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\athprxy32.dll
C:\WINDOWS\athprxy32.dll NOT unregistered.
C:\WINDOWS\athprxy32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\changeurl_30.dll NOT unregistered.
C:\WINDOWS\changeurl_30.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asycfilt32.dll NOT unregistered.
C:\WINDOWS\asycfilt32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\asferror32.dll
C:\WINDOWS\asferror32.dll NOT unregistered.
C:\WINDOWS\asferror32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\apphelp32.dll
C:\WINDOWS\apphelp32.dll NOT unregistered.
C:\WINDOWS\apphelp32.dll moved successfully.
C:\WINDOWS\system32\b093145a moved successfully.
C:\WINDOWS\system32\000060.exe moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C\\ deleted successfully.
File/Folder C:\WINDOWS\System32\Xygw9V5.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\37FU37Q >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\37FU37Q\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareProMFC >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareProMFC\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxf.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxf.exe\\ deleted successfully.
File/Folder C:\WINDOWS\system32\appxf.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atlzw32.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atlzw32.exe\\ deleted successfully.
File/Folder C:\WINDOWS\system32\atlzw32.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader30wo1JNUdZPU >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoader30wo1JNUdZPU\\ deleted successfully.
File/Folder C:\WINDOWS\System32\sletmon.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iemn32.exe >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iemn32.exe\\ deleted successfully.
File/Folder C:\WINDOWS\system32\iemn32.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iww8RXc4i >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iww8RXc4i\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor\\ deleted successfully.
File/Folder C:\PROGRA~1\MYWEBS~1 not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqn7hy >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqn7hy\\ deleted successfully.
File/Folder C:\Documents and Settings\Owner\Local Settings\Temp\xqn7hy.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06022008_213540

Files moved on Reboot...
C:\Program Files\NetProject moved successfully.

3. Final DSS log
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-02 21:44:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:37, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163995951109
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7975 bytes

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-01 22:04:02 0 d-------- C:\327882R2FWJFW
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-30 14:07:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-30 14:07:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-30 14:07:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-30 14:07:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:36:04 0 d-------- C:\Program Files\Web Publish
2008-04-24 09:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 13:43:24 0 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-02 13:37:15 0 d-------- C:\Program Files\Sierra Online
2008-04-02 13:37:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 13:36:01 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-27 22:45:04 1976 --a------ C:\WINDOWS\system32\tmp.reg

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
09/16/2007 09:21 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 16:57]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 00:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/12/2007 03:55]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"start"=C:\Program Files\NetProject\sbmntr.exe
"some"=C:\Program Files\NetProject\scit.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=C:\WINDOWS\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLMessagingIntegration]
C:\Program Files\Common Files\PSD Tools\blengine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

-- End of Deckard's System Scanner: finished at 2008-06-02 21:45:09 ------------

#10
Rorschach112

Posted 03 June 2008 - 06:56 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldieto...om/redirect.php (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Reboot and post a new DSS log

#11
helplessinchicago

Posted 03 June 2008 - 12:31 PM

New Member

Topic Starter
Member
8 posts

Malwarebytes' Anti-Malware 1.14
Database version: 818

1:21:47 PM 6/3/2008
mbam-log-6-3-2008 (13-21-47).txt

Scan type: Quick Scan
Objects scanned: 36707
Time elapsed: 25 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web Application (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\zango\zango.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\seekmo\seekmohook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-03 13:28:35
Computer is in Normal Mode.--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:44, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Desktop\Tools for viruses\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163995951109
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7079 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 12:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-03 12:02:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 12:02:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 22:04:02 0 d-------- C:\327882R2FWJFW
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-30 14:07:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-30 14:07:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-30 14:07:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-30 14:07:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:36:04 0 d-------- C:\Program Files\Web Publish
2008-04-24 09:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-27 22:45:04 1976 --a------ C:\WINDOWS\system32\tmp.reg

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
09/16/2007 09:21 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 16:57]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 00:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/12/2007 03:55]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [12/16/2007 19:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=C:\WINDOWS\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLMessagingIntegration]
C:\Program Files\Common Files\PSD Tools\blengine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

-- End of Deckard's System Scanner: finished at 2008-06-03 13:29:13 ------------

#12
Rorschach112

Posted 03 June 2008 - 12:47 PM

Ralphie

Retired Staff
47,710 posts

Hello

Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

Then double click on the fix.reg file, when it prompts to merge click "Yes".

Reboot and post a new DSS log

#13
helplessinchicago

Posted 03 June 2008 - 01:10 PM

New Member

Topic Starter
Member
8 posts

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-03 14:04:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:47, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Desktop\Tools for viruses\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163995951109
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7023 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 12:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-03 12:02:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 12:02:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 22:04:02 0 d-------- C:\327882R2FWJFW
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-30 14:07:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-30 14:07:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-30 14:07:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-30 14:07:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-30 14:07:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-30 14:07:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-30 14:07:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:36:04 0 d-------- C:\Program Files\Web Publish
2008-04-24 09:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-27 22:45:04 1976 --a------ C:\WINDOWS\system32\tmp.reg

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
09/16/2007 09:21 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 16:57]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 00:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/12/2007 03:55]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [12/16/2007 19:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=C:\WINDOWS\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLMessagingIntegration]
C:\Program Files\Common Files\PSD Tools\blengine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OurPictures]
"C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\3.8.0.64\PlaxoHelper_en.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

-- End of Deckard's System Scanner: finished at 2008-06-03 14:05:15 ------------

#14
Rorschach112

Posted 03 June 2008 - 01:19 PM

Ralphie

Retired Staff
47,710 posts

Your logs are clean

Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#15
Rorschach112

Posted 08 June 2008 - 04:21 PM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.