[patrick_1]

I recently had a virus that:

disabled task manager
disabled some start menu items
no cmd
'VIRUS ALERT!' in time area of taskbar
desktop icons removed/changed
blinking screen every two secs
IE couldn't connect as it was set to wrong start page

Through your malware forums I was able to remove the virus symptoms and I think I'm clean now. Would someone look over my logs to be sure. This virus took me quite a bit of time to get this far and I want to ensure there are no remnants that could pop up later.

I also had an seperate malware issue from along time ago that I removed except on startup I get a Runtime error box [Invalid BackWeb application id "137903"]. Not sure how to if this is related and how to remove/fix this.

Thank you in advance for your time and guidance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\hphmon05.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\AOL\1127504750\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.wild...7E-769D0CA174F4
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127504750\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [78d2b5e2] rundll32.exe "C:\WINDOWS\system32\dxriptfe.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: spamsubtract.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft OfficeB\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10453 bytes

ComboFix 08-06-07.3 - Owner 2008-06-08 15:33:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.229 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\ShoppingReport
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\myglobalsearch
C:\Program Files\MyWay
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin\UNINSTAL.INF
C:\Program Files\MyWay\SrchAstt\Cache\098F0735
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\bundles
C:\WINDOWS\bundles\adv0ltc0m.exe
C:\WINDOWS\bundles\ast_5_adsav.exe
C:\WINDOWS\bundles\Beryllium.exe
C:\WINDOWS\bundles\bs5-tsrkqn.exe
C:\WINDOWS\bundles\Century.exe
C:\WINDOWS\bundles\CSV7P070.exe
C:\WINDOWS\bundles\cxt_big.exe
C:\WINDOWS\bundles\Decade.exe
C:\WINDOWS\bundles\HelperInstaller.exe
C:\WINDOWS\bundles\icmedia2_56.exe
C:\WINDOWS\bundles\ICMMedia_1cmm3d1a.exe
C:\WINDOWS\bundles\james_dh.exe
C:\WINDOWS\bundles\optimizejames.exe
C:\WINDOWS\bundles\runsearch.exe
C:\WINDOWS\bundles\s4Sept.exe
C:\WINDOWS\bundles\saie1101.exe
C:\WINDOWS\bundles\setup_silent_26221.exe
C:\WINDOWS\bundles\snackman.exe
C:\WINDOWS\bundles\stlb2_seed.exe
C:\WINDOWS\bundles\vl_ezstub.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\BIjSAJjl.ini
C:\WINDOWS\system32\BIjSAJjl.ini2
C:\WINDOWS\system32\drivers\Winro33.sys
C:\WINDOWS\system32\eftpirxd.ini
C:\WINDOWS\system32\iedyuthd.ini
C:\WINDOWS\system32\ljJASjIB.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\yayvWqoL.dll
C:\WINDOWS\xbqmfsed.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_WINRO33
-------\Service_msupdate
-------\Service_Winro33


((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-08 02:29 . 2008-06-08 02:29 92,544 --a------ C:\WINDOWS\system32\dxriptfe.dll
2008-06-08 01:49 . 2008-06-08 01:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 01:49 . 2008-06-08 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 01:44 . 2008-06-08 01:44 <DIR> d-------- C:\WINDOWS\resources
2008-06-08 01:31 . 2008-06-08 03:53 4,158 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 00:53 . 2008-06-08 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 22:47 . 2008-06-07 22:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-06-07 20:16 . 2008-06-07 20:16 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Juniper Networks
2008-06-07 20:15 . 2008-06-07 20:15 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-06-07 18:47 . 2008-06-07 11:24 94,208 --a------ C:\WINDOWS\esox.exe
2008-06-07 03:56 . 2008-06-07 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-07 03:55 . 2008-06-07 03:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 03:55 . 2008-06-07 03:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 02:01 . 2008-06-07 02:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-06-07 02:01 . 2008-06-07 02:05 3,350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-07 02:01 . 2008-06-07 02:01 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\6DB4DC67D0.sys
2008-06-07 01:59 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-06-07 01:58 . 2008-06-07 01:59 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-06-07 01:55 . 2008-06-07 01:55 <DIR> d-------- C:\Program Files\Corel
2008-06-07 01:49 . 2008-06-07 01:49 <DIR> d-------- C:\Program Files\MagicISO
2008-05-31 17:59 . 2008-05-31 17:59 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-05-27 00:19 . 2008-05-27 00:19 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-05-27 00:19 . 2008-05-27 00:19 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-05-11 18:14 . 2008-05-11 18:14 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 04:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-07 11:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-07 10:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-07 09:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 01:28 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-08 04:31 --------- d-----w C:\Program Files\uTorrent
2008-05-04 02:45 --------- d-----w C:\Program Files\GPLGS
2008-05-04 02:44 --------- d-----w C:\Program Files\Acro Software
2008-04-13 19:26 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-04-12 23:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-04-12 20:54 --------- d-----w C:\Program Files\Neoteris
2008-04-12 20:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Juniper Networks
2007-12-22 03:56 5,757 ----a-w C:\Program Files\install.log
2007-10-22 11:49 867,848 ----a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab
2007-10-22 11:49 807,132 ----a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab
2007-10-22 11:49 49,392 ----a-w C:\Program Files\NOV2007_X3DAudio_x64.cab
2007-10-22 11:49 44,850 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-10-22 11:49 21,744 ----a-w C:\Program Files\NOV2007_X3DAudio_x86.cab
2007-10-22 11:49 200,010 ----a-w C:\Program Files\NOV2007_XACT_x64.cab
2007-10-22 11:49 151,512 ----a-w C:\Program Files\NOV2007_XACT_x86.cab
2007-10-22 11:49 1,805,306 ----a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab
2007-10-22 11:49 1,712,608 ----a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab
2006-03-18 06:22 8 ----a-w C:\Documents and Settings\Owner\Application Data\usb.dat.bin
2004-12-06 20:58 68,920 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-27 10:06 27 ----a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-11-04 08:45 2,268 ----a-w C:\Program Files\saap.log
2004-02-26 18:37 2,263,791 ---ha-w C:\Program Files\kyf.dat
2004-02-26 10:08 24,816 ---ha-w C:\Program Files\fiz6
2004-02-16 06:56 30,083 ---ha-w C:\Program Files\fiz5
2004-01-31 09:34 30,053 ---ha-w C:\Program Files\fiz4
2004-01-23 02:56 30,079 ---ha-w C:\Program Files\fiz3
2004-01-17 09:18 30,063 ---ha-w C:\Program Files\fiz2
2004-01-14 08:51 30,112 -c-ha-w C:\Program Files\fiz1
2003-05-01 16:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}]
C:\WINDOWS\enhtb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-22 20:25 24576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 19:30 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 18:19 53248]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 06:23 90112]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 06:07 114688]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-13 22:53 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 03:23 172032]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55 483328]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 02:03 49152]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 01:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-02-24 17:51 53248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HostManager"="C:\Program Files\Common Files\AOL\1127504750\ee\AOLSoftware.exe" [2006-03-10 14:22 48280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"78d2b5e2"="C:\WINDOWS\system32\dxriptfe.dll" [2008-06-08 02:29 92544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-06-18 18:19:08 53248]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 06:11:14 27136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
spamsubtract.lnk.disabled [2003-08-28 19:19:14 844]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-01 00:56:55 36954]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-06-13 03:08:16 233472]
Microsoft Office.lnk - C:\Program Files\Microsoft OfficeB\Office\OSA9.EXE [2000-01-21 00:15:54 65588]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 18:20:02 53248]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 19:34:35 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRam"= {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"VBouncer"=C:\PROGRA~1\VBouncer\VirtualBouncer.exe
"WildTangent CDA"=RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\EA Games\\MOHAADemo\\MOHAADemo.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\EA Games\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1127504750\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"6881:TCP"= 6881:TCP:blizzard downloader
"6999:TCP"= 6999:TCP:blizzard dowloader

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 06:15]
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-29 21:43]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2002-10-07 09:00]
R2 PSI_SVC_2;Protexis Licensing V2;"C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 09:58:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 15:42:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-08 15:52:22 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-08 23:52:19

Pre-Run: 39,022,358,528 bytes free
Post-Run: 38,998,773,760 bytes free

268 --- E O F --- 2008-05-28 11:01:29

[Advertisements]

Hello patrick_1, and welcome to Geeks to Go!

Please read this post completely. It may make it easier for you if you print, or copy and paste this post to a new text document for reference later.

This will likely be a few steps process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Regards

eddie

[eddie5659]

Hello patrick_1, and welcome to Geeks to Go!

Please read this post completely. It may make it easier for you if you print, or copy and paste this post to a new text document for reference later.

This will likely be a few steps process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Regards

eddie

[patrick_1]

Thanks for the response. Since my initial posting I continued working on cleaning my system so my previous logs are now obsolete. I won't make any other changes except as you suggest. As requested here are the DSS logs.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-13 21:28:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
83: 2008-06-14 05:29:10 UTC - RP1212 - Deckard's System Scanner Restore Point
82: 2008-06-13 09:57:17 UTC - RP1211 - Removed HP Photo and Imaging 2.0 - Photosmart Cameras
81: 2008-06-13 09:45:15 UTC - RP1210 - Uniblue RegistryBooster
80: 2008-06-13 09:43:46 UTC - RP1209 - Uniblue RegistryBooster
79: 2008-06-13 07:23:18 UTC - RP1208 - Removed Code Project - Cool Downloader


-- First Restore Point --
1: 2008-03-17 00:34:39 UTC - RP1130 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\hphmon05.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [78d2b5e2] rundll32.exe "C:\WINDOWS\system32\dxriptfe.dll",b
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7168 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080608-005522-935 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20080608-005911-635 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20080608-010731-334 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20080608-011358-948 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
backup-20080612-233331-660 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.wild...7E-769D0CA174F4
backup-20080612-233358-327 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080612-233358-639 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080612-233358-848 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
backup-20080612-233358-859 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
backup-20080612-233420-633 O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
backup-20080612-233545-236 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
backup-20080612-233545-905 O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
backup-20080612-233923-334 O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
backup-20080612-235611-309 O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ewido security suite driver - c:\program files\ewido\security suite\guard.sys
R1 NEOFLTR_530_11531 (Juniper Networks TDI Filter Driver (NEOFLTR_530_11531)) - c:\windows\system32\drivers\neofltr_530_11531.sys <Not Verified; Neoteris; Secure Application Manager>
R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® WindowsXP Display Manager>
R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
R2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - c:\windows\system32\drivers\nwlnkipx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkSpx (NWLink SPX/SPXII Protocol) - c:\windows\system32\drivers\nwlnkspx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 ltmodem5 (Lucent Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Not Verified; LT; LT V.92 Data+Fax Modem Version 8.28>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 Ps2 - c:\windows\system32\drivers\ps2.sys <Not Verified; Hewlett-Packard Company; Hewlett-Packard Company PS2 SYS>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Not Verified; America Online, Inc.; Wan Miniport (ATW)>

S3 BCM43XX (Wireless-G PCI Adapter Driver) - c:\windows\system32\drivers\bcmwl5.sys <Not Verified; Linksys Corporation; Instant Wireless-G PCI Adapter>
S3 Bridge (MAC Bridge) - c:\windows\system32\drivers\bridge.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 BridgeMP (MAC Bridge Miniport) - c:\windows\system32\drivers\bridge.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 S3Psddr - c:\windows\system32\drivers\s3gnbm.sys <Not Verified; S3 Graphics, Inc.; S3 ProSavage(DDR) & Twister Miniport Driver>
S3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS ® Compatible Super VGA Miniport Driver for Windows XP>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 niSvcLoc (NI Service Locator) - c:\windows\system32\nisvcloc.exe -s <Not Verified; National Instruments; National Instruments Service Locator>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)
S3 NILM License manager - "c:\program files\national instruments\shared\license manager\bin\lmgrd.exe" <Not Verified; Macrovision Corporation; >
S4 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S4 ewido security suite guard - c:\program files\ewido\security suite\ewidoguard.exe <Not Verified; ewido networks; guard>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-11 21:46:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 01:40:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-06-10 17:47:50 0 d-------- C:\Program Files\AC3Filter
2008-06-10 17:39:20 0 d-------- C:\Program Files\Elecard
2008-06-10 17:39:20 0 d-------- C:\Program Files\Common Files\Elecard
2008-06-10 17:29:56 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-10 17:29:56 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-10 17:29:56 0 d-------- C:\Program Files\Xvid
2008-06-10 17:27:13 0 d-------- C:\Program Files\KC Softwares
2008-06-08 21:36:24 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-08 21:36:24 2547 --a------ C:\WINDOWS\unins000.dat
2008-06-08 04:02:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-08 02:59:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-06-08 02:29:11 92544 --a------ C:\WINDOWS\system32\dxriptfe.dll
2008-06-08 01:49:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 01:49:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 01:44:06 0 d-------- C:\WINDOWS\resources
2008-06-08 01:31:55 4158 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 00:53:27 0 d-------- C:\Program Files\Trend Micro
2008-06-08 00:49:56 68096 --a------ C:\WINDOWS\zip.exe
2008-06-08 00:49:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-08 00:49:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-08 00:49:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-08 00:49:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-08 00:49:56 98816 --a------ C:\WINDOWS\sed.exe
2008-06-08 00:49:56 80412 --a------ C:\WINDOWS\grep.exe
2008-06-08 00:49:56 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-07 22:47:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-06-07 18:47:26 94208 --a------ C:\WINDOWS\esox.exe
2008-06-07 03:56:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-07 02:01:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-06-07 02:01:25 3350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-07 02:01:25 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\6DB4DC67D0.sys
2008-06-07 01:59:47 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-06-07 01:58:59 0 d-------- C:\Program Files\QuickTime
2008-06-07 01:58:26 0 d-------- C:\Program Files\Apple Software Update
2008-06-07 01:58:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-07 01:56:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-06-07 01:56:03 0 d-------- C:\Program Files\Common Files\Protexis
2008-06-07 01:56:03 0 d-------- C:\Program Files\Common Files\InterVideo
2008-06-07 01:55:37 0 d-------- C:\Program Files\Corel
2008-06-07 01:49:52 0 d-------- C:\Program Files\MagicISO
2008-05-31 17:59:16 0 d-------- C:\Program Files\DVD Decrypter
2008-05-30 15:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 15:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-27 00:19:30 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-05-27 00:19:16 0 d-------- C:\Program Files\Replay Media Catcher
2008-05-22 14:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 14:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 14:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-13 21:28:25 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-13 01:05:52 2 --a------ C:\CONFIG.SYS
2008-06-13 00:44:54 0 d-------- C:\Program Files\Updates from HP
2008-06-12 23:27:57 0 d-------- C:\Program Files\Canon
2008-06-12 23:25:44 0 d-------- C:\Program Files\MUSICMATCH
2008-06-12 23:25:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 23:24:26 0 d-------- C:\Program Files\Google
2008-06-12 23:23:43 0 d-------- C:\Program Files\Diablo II
2008-06-12 23:23:24 0 d-------- C:\Program Files\Common Files
2008-06-12 23:22:37 0 d-------- C:\Program Files\Common Files\aolshare
2008-06-12 23:21:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-12 23:18:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-12 23:15:01 0 d-------- C:\Program Files\Common Files\AOL
2008-06-10 17:18:43 0 d-------- C:\Program Files\DivX
2008-06-10 00:34:56 0 d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-07 02:19:17 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-22 14:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-16 17:28:40 0 d-------- C:\Program Files\GIMP-2.0
2008-05-07 20:31:53 0 d-------- C:\Program Files\uTorrent
2008-05-03 18:45:28 0 d-------- C:\Program Files\GPLGS
2008-05-03 18:44:04 0 d-------- C:\Program Files\Acro Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}]
C:\WINDOWS\enhtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [06/13/2003 22:53]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [03/12/2003 03:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [05/23/2003 01:55]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [05/23/2003 02:03]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 15:04]
"Logitech Utility"="Logi_MwX.Exe" [03/04/2003 01:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41]
"nwiz"="nwiz.exe" [12/05/2007 01:41 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 15:57]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 20:42]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 15:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41]
"78d2b5e2"="C:\WINDOWS\system32\dxriptfe.dll" [06/08/2008 02:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [06/22/2003 20:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 23:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\NoRecentDocsHistory D_WORD]
@=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRam"= {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk.disabled
backup=C:\WINDOWS\pss\spamsubtract.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"CCALib8"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=3 (0x3)
"Browser"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-06-13 21:31:54 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 511.36 MiB / 274.93 MiB
Pagefile Memory (total/avail): 1250.59 MiB / 982.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 142.01 GiB total, 34.31 GiB free.
D: is Fixed (FAT32) - 7.02 GiB total, 2.14 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 7.03 GiB - D:
\PARTITION1 (bootable) - Installable File System - 142.01 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Disabled:Microsoft ® HTML Application host"
"C:\\Program Files\\EA Games\\MOHAADemo\\MOHAADemo.exe"="C:\\Program Files\\EA Games\\MOHAADemo\\MOHAADemo.exe:*:Disabled:Medal of Honor PC"
"C:\\Program Files\\Diablo II\\Game.exe"="C:\\Program Files\\Diablo II\\Game.exe:*:Disabled:Diablo II"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\EA Games\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"="C:\\Program Files\\EA Games\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe:*:Disabled:Medal of Honor Allied Assault™ Spearhead"
"C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe"="C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe:*:Enabled:LabVIEW 7.0 Development System"
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"="C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe:*:Enabled:NIExampleFinder"
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"="C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe:*:Enabled:Freelancer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs Trial"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"="C:\\Program Files\\Corel\\DVD9\\WinDVD.exe:*:Disabled:WinDVD"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PATRICKS-COM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\PATRICKS-COM
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=PATRICKS-COM
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.32 --> "C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Setup --> MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Age of Empires III - The WarChiefs Trial --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{ABFE9B50-BA4B-4FDF-A943-EA025119DBED}
Age of Mythology --> "C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ArcSoft ShowBiz 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{791B20D4-AE59-4DE9-B45F-BA01F3D0A493}\setup.exe" -l0x9
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitZip (remove only) --> C:\Program Files\BitZip\Uninstall.exe
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Corel WinDVD 9 --> C:\Program Files\InstallShield Installation Information\{E3993D46-AE3F-402E-9F9D-EEBDFBEC3564}\setup.exe -runfromtemp -l0x0409
CreativeProjects -->
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
Director -->
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Elecard MPEG-2 Decoder&Streaming Plug-in for WMP --> "C:\Program Files\Elecard\Elecard MPEG-2 Decoder&Streaming Plug-in for WMP\Uninstall.exe" "C:\Program Files\Elecard\Elecard MPEG-2 Decoder&Streaming Plug-in for WMP\install.log" -u
ewido security suite --> C:\Program Files\ewido\security suite\Uninstall.exe
Freelancer --> "C:\Program Files\Microsoft Games\Freelancer\UNINSTAL.EXE" /runtemp /addremove
FXCM Chart Plugin II --> C:\PROGRA~1\CANDLE~1\FXTS2\UNWISE.EXE C:\PROGRA~1\CANDLE~1\FXTS2\FXCHART.LOG
FXCM Trading Station II --> C:\Program Files\CandleWorks\FXTS2\uninstall.exe FXCM Trading Station II
GIMP 2.4.5 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 3600 --> msiexec /x{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192}
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{C05E10AC-BD86-4564-9D16-EF11D7314FB2}
HPImageZone --> MsiExec.exe /X{11946FA8-329A-4DDF-B867-A32781FED8EE}
HPIZ Fix2 -->
hpmdtab -->
HpSdpAppCoreApp -->
HPSystemDiagnostics -->
InstantShare -->
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
interneTIFF 6.2-FREE (IE Browser) --> C:\WINDOWS\ISUninst.exe -f"C:\Program Files\Innomage\interneTIFFX\Uninst.isu" -c"C:\Program Files\Innomage\interneTIFFX\U_ITIFFFREE.dll"
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Juniper Networks Secure Application Manager --> C:\Program Files\Neoteris\Secure Application Manager\UninstallSAM.exe
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KC Softwares VideoInspector --> "C:\Program Files\KC Softwares\VideoInspector\unins000.exe"
KODAK Picture CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C23837C-993E-11D4-9DE0-0060085C158A}\SETUP.EXE"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
Logitech MouseWare 9.76 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Resource Center --> C:\PROGRA~1\Logitech\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\RESOUR~1\rem\INSTALL.LOG
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Medal of Honor Allied Assault Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5FF7007-9DB1-46E2-9B31-0E1D6987CD99}\Setup.exe" -l0x9
Medal of Honor Allied Assault™ Spearhead Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{54B228DC-4B49-4AF7-B3C6-AA612CD14A83}\Setup.exe" -l0x9
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Game Studios Common Redistributables Pack 1 -->
Microsoft Halo Trial --> "C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft XML Parser -->
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
MWSnap 3 --> "C:\Program Files\MWSnap\uninstall.exe"
National Instruments Software --> "C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe"
NI Instrument IO Assistant for LabVIEW 7.0 -->
NI LabVIEW 7.0 Student Edition -->
NI LabVIEW Advanced Analysis 7.0 -->
NI LabVIEW CIN Tools 7.0 -->
NI LabVIEW Full 7.0 -->
NI LabVIEW Picture Control Toolkit 7.0 -->
NI LabVIEW Run-Time Engine 7.0 -->
NI LabVIEW Service Locator 1.0 -->
NI LVBroker -->
NI LVBrokerAux70 -->
NI Uninstaller 1.1.1f1 -->
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA Gart Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
O-Matrix Light 5.81 --> "c:\omwin\Uninstal.exe"
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PhotoGallery -->
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PrintScreen -->
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
PSShortcutsP -->
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QFolder -->
Quicken 2003 New User Edition -->
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickProjects -->
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Recorder --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Recorder\ST6UNST.LOG"
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Replay Media Catcher --> "C:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:C:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Search Assistant --> C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe uninstadkw
Search Basket --> C:\WINDOWS\enhuninstall.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SkinsHP1 -->
SkinsHP2 -->
SolidWorks viewer --> MsiExec.exe /X{4E8CF185-07D7-4843-927F-A5B377B5E1C6}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
STX from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\342970EF-F8DF-4E9B-8477-A1A03E3E15E1\Uninstall.exe"
Tomb Raider: Anniversary Demo 1.0 --> C:\Program Files\Tomb Raider - Anniversary Demo\uninsttra.exe
toolkit --> c:\Windows\HPTK\unhptkit.exe
TrayApp -->
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
Unload -->
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Savings from Ebates --> wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch" ls: deletefeature ld: feature=ebateswebsavings.xml
WebFldrs XP -->
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
WebSearch Tools --> C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe uninstesies
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type43760 / Error
Event Submitted/Written: 06/08/2008 09:40:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.4.

[eddie5659]

Don't you sometime hate pc's. Just spent two hours sifting thru the log, to then get a blue screen and it restarted.....and it didn't save

Needless to say, I wasn't happy a few minutes ago, but I can go thru it again as I know what was there now


Okay, lets run some programs to clear this up.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Then, post a fresh DSS log, along with the SAS and MBAM log

eddie

[patrick_1]

Now it looks like were getting somewhere. I'm posting the logs in two replies as they are getting rather long. Here's the Malware and SuperAntiSpyware

Malwarebytes' Anti-Malware 1.17
Database version: 855

11:25:21 AM 6/14/2008
mbam-log-6-14-2008 (11-25-21).txt

Scan type: Quick Scan
Objects scanned: 39338
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dxriptfe.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{f9fa603d-697c-4900-a950-e54f08324a24} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nmwegbsf.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78d2b5e2 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dxriptfe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eftpirxd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\esox.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/14/2008 at 12:52 PM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Complete Scan
Total Scan Time : 01:17:51

Memory items scanned : 337
Memory threats detected : 0
Registry items scanned : 5992
Registry threats detected : 27
File items scanned : 129456
File threats detected : 35

wbho2 Module BHO
HKLM\Software\Classes\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\InprocServer32
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\InprocServer32#ThreadingModel
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\ProgID
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\Programmable
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\TypeLib
HKCR\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\VersionIndependentProgID
C:\WINDOWS\ENHTB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}

Adware.Tracking Cookie
c:\documents and settings\owner\cookies\[email protected][1].txt
c:\documents and settings\owner\cookies\owner@hotbar[2].txt
c:\documents and settings\owner\cookies\[email protected][1].txt
c:\documents and settings\owner\cookies\[email protected][1].txt
c:\documents and settings\owner\cookies\[email protected][1].txt
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ar.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.glb.adtechus.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
www.zango.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
counter.hitslink.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
cache.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
cache.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad2.bannerbank.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.yadro.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ad3.bannerbank.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
tremor.adbureau.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tremor.adbureau.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.axxessads.valuead.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adserver.easyad.info [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
anad.tacoda.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
citi.bridgetrack.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
www.accountonline.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.clickbank.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.adserver.adtechus.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
pixel.ilsemedia.nl [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
stats.ilsemedia.nl [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.metacafe.122.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
affiliates.commissionaccount.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.spylog.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.hotlog.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.list.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.pcstats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.pcstats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
www.pcstats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.chitika.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.ehg-futurepub.hitbox.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\x3tc7dbb.default\cookies.txt ]

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#WindowsInstaller
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#InstallLocation

Adware.IEPlugin
HKCR\Remove

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSC35B.TMP\INSTALL.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSC35B.TMP\RESOURCE.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSJ362.TMP\INSTALL.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSJ362.TMP\RESOURCE.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ZAN358.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ZAN35F.EXE
C:\RECYCLER\S-1-5-21-971453504-2341552671-2624409165-1003\DC11.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1212\A0399492.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1212\A0399493.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1212\A0399494.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1212\A0399495.DLL

Adware.MyWay
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395992.DLL

Trojan.Dropper/Gen
C:\QOOBOX\QUARANTINE\C\WINDOWS\XBQMFSED.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0396017.EXE

Rootkit.RunTime3/WinCtrl32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0393661.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395661.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395768.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395785.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395828.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395862.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395870.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395896.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395930.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395964.SYS

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395838.DLL

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395839.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395840.DLL

Adware.E404 Helper/Variant-C
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395850.DLL

[patrick_1]

And here is the fresh DSS log


Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 13:59:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\hphmon05.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7297 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 11:30:47 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-14 11:30:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-14 11:30:35 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-14 11:30:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 11:19:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 11:19:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:19:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 01:40:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-06-10 17:47:50 0 d-------- C:\Program Files\AC3Filter
2008-06-10 17:39:20 0 d-------- C:\Program Files\Elecard
2008-06-10 17:39:20 0 d-------- C:\Program Files\Common Files\Elecard
2008-06-10 17:29:56 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-10 17:29:56 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-10 17:29:56 0 d-------- C:\Program Files\Xvid
2008-06-10 17:27:13 0 d-------- C:\Program Files\KC Softwares
2008-06-08 21:36:24 691545 --a------ C:\WINDOWS\unins000.exe
2008-06-08 21:36:24 2547 --a------ C:\WINDOWS\unins000.dat
2008-06-08 04:02:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-08 02:59:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-06-08 01:49:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 01:49:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 01:44:06 0 d-------- C:\WINDOWS\resources
2008-06-08 01:31:55 4158 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 00:53:27 0 d-------- C:\Program Files\Trend Micro
2008-06-08 00:49:56 68096 --a------ C:\WINDOWS\zip.exe
2008-06-08 00:49:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-08 00:49:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-08 00:49:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-08 00:49:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-08 00:49:56 98816 --a------ C:\WINDOWS\sed.exe
2008-06-08 00:49:56 80412 --a------ C:\WINDOWS\grep.exe
2008-06-08 00:49:56 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-07 22:47:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-06-07 03:56:18 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-07 02:01:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-06-07 02:01:25 3350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-07 02:01:25 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\6DB4DC67D0.sys
2008-06-07 01:59:47 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-06-07 01:58:59 0 d-------- C:\Program Files\QuickTime
2008-06-07 01:58:26 0 d-------- C:\Program Files\Apple Software Update
2008-06-07 01:58:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-07 01:56:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-06-07 01:56:03 0 d-------- C:\Program Files\Common Files\Protexis
2008-06-07 01:56:03 0 d-------- C:\Program Files\Common Files\InterVideo
2008-06-07 01:55:37 0 d-------- C:\Program Files\Corel
2008-06-07 01:49:52 0 d-------- C:\Program Files\MagicISO
2008-05-31 17:59:16 0 d-------- C:\Program Files\DVD Decrypter
2008-05-30 15:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 15:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-27 00:19:30 0 d-------- C:\WINDOWS\Replay Media Catcher
2008-05-27 00:19:16 0 d-------- C:\Program Files\Replay Media Catcher
2008-05-22 14:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 14:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 14:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-14 11:30:03 0 d-------- C:\Program Files\Common Files
2008-06-14 11:01:11 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-14 00:47:34 0 d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-13 01:05:52 2 --a------ C:\CONFIG.SYS
2008-06-13 00:44:54 0 d-------- C:\Program Files\Updates from HP
2008-06-12 23:27:57 0 d-------- C:\Program Files\Canon
2008-06-12 23:25:44 0 d-------- C:\Program Files\MUSICMATCH
2008-06-12 23:25:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-12 23:24:26 0 d-------- C:\Program Files\Google
2008-06-12 23:23:43 0 d-------- C:\Program Files\Diablo II
2008-06-12 23:22:37 0 d-------- C:\Program Files\Common Files\aolshare
2008-06-12 23:21:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-12 23:18:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-12 23:15:01 0 d-------- C:\Program Files\Common Files\AOL
2008-06-10 17:18:43 0 d-------- C:\Program Files\DivX
2008-06-07 02:19:17 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-22 14:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-16 17:28:40 0 d-------- C:\Program Files\GIMP-2.0
2008-05-07 20:31:53 0 d-------- C:\Program Files\uTorrent
2008-05-03 18:45:28 0 d-------- C:\Program Files\GPLGS
2008-05-03 18:44:04 0 d-------- C:\Program Files\Acro Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [06/13/2003 22:53]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [03/12/2003 03:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [05/23/2003 01:55]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [05/23/2003 02:03]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 15:04]
"Logitech Utility"="Logi_MwX.Exe" [03/04/2003 01:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41]
"nwiz"="nwiz.exe" [12/05/2007 01:41 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 15:57]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 20:42]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 15:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [06/22/2003 20:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 23:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\NoRecentDocsHistory D_WORD]
@=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRam"= {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk.disabled
backup=C:\WINDOWS\pss\spamsubtract.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"CCALib8"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=3 (0x3)
"Browser"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-06-14 13:59:59 ------------

[eddie5659]

Thats a bit better


Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

eddie

[patrick_1]

I finally got around to running the Panda scan. It's looking better, but still shows a few things. My computer continues to run smooth and stable. I think it may actually be running slight more stable than prior to the main infection. All of these scans have removed some less dangerous but still annoying adware that were hogging my memory.


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-18 22:56:10
PROTECTIONS: 0
MALWARE: 37
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search bar_bak
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search page_bak
00020302 adware/ncase Adware No 0 Yes No c:\program files\saap.log
00027660 adware/savenow Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311c-43b4-8499-3d5fec94a183}
00029007 adware/tvmedia Adware No 0 Yes No c:\documents and settings\owner\application data\tvmcwrd.dll
00035328 Application/KillApp.A HackTools No 0 Yes No C:\hp\bin\Terminator.exe
00036016 adware/topmoxie Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
00039204 adware/cws Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\start page_bak
00040067 spyware/shopnav Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
00040415 adware/wintools Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
00041446 application/myway HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04079851-5845-4DEA-848C-3ECD647AA554}
00041446 application/myway HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}
00041904 adware/sidesearch Adware No 0 Yes No c:\documents and settings\owner\application data\lycos
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
00064198 adware/mbkwbar Adware No 0 Yes No hkey_local_machine\software\mbkwbar
00064198 adware/mbkwbar Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA5A82FB-D6BE-44F9-9363-B1ABABC153C1}
00096718 adware/twain-tech Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000607d-d204-42c7-8e46-216055bf9918}
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395944.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
00167450 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-5980c178-7f3b65cf.zip[VerifierBug.class]
00167450 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-10317d84-78ba0e02.zip[VerifierBug.class]
00167451 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-5980c178-7f3b65cf.zip[Dummy.class]
00167451 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-10317d84-78ba0e02.zip[Dummy.class]
00167452 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-5980c178-7f3b65cf.zip[BlackBox.class]
00167452 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-10317d84-78ba0e02.zip[BlackBox.class]
00167453 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-5980c178-7f3b65cf.zip[Beyond.class]
00167453 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-10317d84-78ba0e02.zip[Beyond.class]
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
00174002 Dialer.Gen Dialers No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp
00199231 HackTool/EvID HackTools No 0 Yes No C:\RECYCLER\S-1-5-21-971453504-2341552671-2624409165-1003\Dc189.zip[EvID226Patch.exe]
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\inf\alchem.inf
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Owner\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0396067.EXE
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
02769568 Application/MyWebSearch HackTools No 0 Yes No C:\WINDOWS\s4Setp.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0396029.sys
02936818 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1217\A0401840.exe
02983943 Trj/Clicker.AKM Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395842.dll
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395662.exe
03020910 Bck/BEnergy.M Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\catchme2008-06-08_153915.96.zip[mssrv32.exe]
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395679.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395687.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395756.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395772.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395779.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395824.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F261A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395668.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0395657.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395852.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0394657.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395883.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395832.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395892.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395903.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395908.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395915.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395921.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395926.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395938.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395960.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395971.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395977.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395864.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1201\A0393657.dll
03053125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\snapshot\MFEX-1.DAT
03053126 Rootkit/Rntm.A HackTools No 0  Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Winro33.sys.zip[Winro33.sys]
03074068 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1202\A0395884.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location öé
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description öé
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

[eddie5659]

Yep, still a little bit left...

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

eddie

[patrick_1]

Here you go.

ComboFix 08-06-20.4 - Owner 2008-06-23 18:05:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-22 19:49 . 2008-06-22 19:49 6 --a------ C:\WINDOWS\msoffice.ini
2008-06-18 20:22 . 2008-06-18 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-06-16 23:01 . 2008-06-16 23:01 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-16 20:44 . 2008-06-23 14:03 4,194,330 --a------ C:\WINDOWS\pfirewall.log.old
2008-06-15 16:48 . 2008-06-15 16:48 <DIR> d-------- C:\Program Files\Avery Dennison
2008-06-15 16:48 . 2008-06-15 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avery
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-14 11:19 . 2008-06-22 22:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:19 . 2008-06-14 11:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 11:19 . 2008-06-14 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 11:19 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 11:19 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 21:28 . 2008-06-13 21:28 <DIR> d-------- C:\Deckard
2008-06-13 01:40 . 2008-06-13 01:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-06-11 00:16 . 2008-06-13 05:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 17:47 . 2008-06-10 17:47 <DIR> d-------- C:\Program Files\AC3Filter
2008-06-10 17:47 . 2007-08-17 23:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-10 17:39 . 2008-06-10 17:39 <DIR> d-------- C:\Program Files\Elecard
2008-06-10 17:39 . 2008-06-10 17:39 <DIR> d-------- C:\Program Files\Common Files\Elecard
2008-06-10 17:29 . 2008-06-10 17:29 <DIR> d-------- C:\Program Files\Xvid
2008-06-10 17:29 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-10 17:29 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-10 17:29 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-08 21:36 . 2008-06-08 21:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-08 21:36 . 2008-06-08 21:36 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-08 01:44 . 2008-06-08 01:44 <DIR> d-------- C:\WINDOWS\resources
2008-06-08 01:31 . 2008-06-08 03:53 4,158 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 00:53 . 2008-06-08 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 22:47 . 2008-06-07 22:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-06-07 20:15 . 2008-06-07 20:15 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-06-07 03:56 . 2008-06-07 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-07 03:55 . 2008-06-20 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 03:55 . 2008-06-07 03:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 02:01 . 2008-06-07 02:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-06-07 02:01 . 2008-06-07 02:05 3,350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-07 02:01 . 2008-06-07 02:01 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\6DB4DC67D0.sys
2008-06-07 01:59 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-06-07 01:58 . 2008-06-07 01:59 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-06-07 01:55 . 2008-06-07 01:55 <DIR> d-------- C:\Program Files\Corel
2008-06-07 01:49 . 2008-06-07 01:49 <DIR> d-------- C:\Program Files\MagicISO
2008-05-31 17:59 . 2008-05-31 17:59 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-05-27 00:19 . 2008-05-27 00:19 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-05-27 00:19 . 2008-06-22 19:53 <DIR> d-------- C:\Program Files\Replay Media Catcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 01:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-23 05:11 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-23 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 04:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-06-23 03:59 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-06-23 03:57 --------- d-----w C:\Program Files\EA Games
2008-06-23 03:55 --------- d-----w C:\Program Files\Microsoft Games
2008-06-23 03:50 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-23 03:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-23 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-21 08:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-17 07:21 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-06-16 00:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 00:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Juniper Networks
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 08:44 --------- d-----w C:\Program Files\Updates from HP
2008-06-13 07:27 --------- d-----w C:\Program Files\Canon
2008-06-13 07:24 --------- d-----w C:\Program Files\Google
2008-06-13 07:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-11 01:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 01:18 --------- d-----w C:\Program Files\DivX
2008-06-07 10:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-17 01:28 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 04:31 --------- d-----w C:\Program Files\uTorrent
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 02:45 --------- d-----w C:\Program Files\GPLGS
2008-05-04 02:44 --------- d-----w C:\Program Files\Acro Software
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2007-12-22 03:56 5,757 ----a-w C:\Program Files\install.log
2007-10-22 11:49 867,848 ----a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab
2007-10-22 11:49 807,132 ----a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab
2007-10-22 11:49 49,392 ----a-w C:\Program Files\NOV2007_X3DAudio_x64.cab
2007-10-22 11:49 44,850 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-10-22 11:49 21,744 ----a-w C:\Program Files\NOV2007_X3DAudio_x86.cab
2007-10-22 11:49 200,010 ----a-w C:\Program Files\NOV2007_XACT_x64.cab
2007-10-22 11:49 151,512 ----a-w C:\Program Files\NOV2007_XACT_x86.cab
2007-10-22 11:49 1,805,306 ----a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab
2007-10-22 11:49 1,712,608 ----a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab
2006-03-18 06:22 8 ----a-w C:\Documents and Settings\Owner\Application Data\usb.dat.bin
2004-12-06 20:58 68,920 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-27 10:06 27 ----a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-11-04 08:45 2,268 ----a-w C:\Program Files\saap.log
2004-02-26 18:37 2,263,791 ---ha-w C:\Program Files\kyf.dat
2004-02-26 10:08 24,816 ---ha-w C:\Program Files\fiz6
2004-02-16 06:56 30,083 ---ha-w C:\Program Files\fiz5
2004-01-31 09:34 30,053 ---ha-w C:\Program Files\fiz4
2004-01-23 02:56 30,079 ---ha-w C:\Program Files\fiz3
2004-01-17 09:18 30,063 ---ha-w C:\Program Files\fiz2
2004-01-14 08:51 30,112 -c-ha-w C:\Program Files\fiz1
2003-05-01 16:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot_2008-06-13_ 0.31.32.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 08:24:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 16:49:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-16 00:48:57 40,960 ----a-r C:\WINDOWS\Installer\{97AE00A8-1336-410F-B467-1C6623127BD6}\ARPPRODUCTICON.exe
+ 2008-06-14 19:30:40 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-06-14 19:30:40 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-31 16:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 16:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-17 07:21:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2008-06-13 07:28:09 1,549,512 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-16 08:32:46 1,566,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2001-08-18 06:36:16 891,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPF940AL.DLL
+ 2001-08-18 06:36:16 1,853,952 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIMG50.DLL
+ 2004-08-04 07:56:42 87,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUD50.DLL
+ 2001-08-18 06:36:16 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUI50.DLL
+ 2004-08-04 07:56:46 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 07:56:46 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2004-08-04 07:56:34 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-22 20:25 24576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-13 22:53 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 03:23 172032]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55 483328]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 02:03 49152]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 01:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-06-18 18:19:08 53248]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 06:11:14 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRam"= {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk.disabled
backup=C:\WINDOWS\pss\spamsubtract.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2003-06-18 18:19 53248 C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 06:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"CCALib8"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=3 (0x3)
"Browser"=2 (0x2)
"CiSvc"=3 (0x3)
"LmHosts"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\EA Games\\MOHAADemo\\MOHAADemo.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\EA Games\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"=
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:blizzard downloader
"6112:TCP"= 6112:TCP:*:Disabled:blizzard downloader
"6881:TCP"= 6881:TCP:*:Disabled:blizzard downloader
"6999:TCP"= 6999:TCP:*:Disabled:blizzard dowloader


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 05:46:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 18:08:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-06-23 18:12:12
ComboFix-quarantined-files.txt 2008-06-24 02:11:09
ComboFix2.txt 2008-06-13 08:32:47
ComboFix3.txt 2008-06-08 23:52:23

Pre-Run: 17,498,824,704 bytes free
Post-Run: 17,496,883,200 bytes free

265 --- E O F --- 2008-06-20 06:19:42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6858 bytes

[eddie5659]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

C:\Program Files\saap.log
C:\Program Files\kyf.dat
C:\Program Files\fiz6
C:\Program Files\fiz5
C:\Program Files\fiz4
C:\Program Files\fiz3
C:\Program Files\fiz2
C:\Program Files\fiz1

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[patrick_1]

I think we must be getting closer. Just curious, what does that CFScript do?

ComboFix 08-06-20.4 - Owner 2008-06-26 17:36:42.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-22 19:49 . 2008-06-22 19:49 6 --a------ C:\WINDOWS\msoffice.ini
2008-06-18 20:22 . 2008-06-18 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-06-16 23:01 . 2008-06-16 23:01 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-16 20:44 . 2008-06-26 06:27 4,194,363 --a------ C:\WINDOWS\pfirewall.log.old
2008-06-15 16:48 . 2008-06-15 16:48 <DIR> d-------- C:\Program Files\Avery Dennison
2008-06-15 16:48 . 2008-06-15 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avery
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-14 11:30 . 2008-06-14 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-14 11:19 . 2008-06-22 22:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 11:19 . 2008-06-14 11:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-14 11:19 . 2008-06-14 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 11:19 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 11:19 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 21:28 . 2008-06-13 21:28 <DIR> d-------- C:\Deckard
2008-06-13 01:40 . 2008-06-13 01:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-06-11 00:16 . 2008-06-13 05:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 17:47 . 2008-06-10 17:47 <DIR> d-------- C:\Program Files\AC3Filter
2008-06-10 17:47 . 2007-08-17 23:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-10 17:39 . 2008-06-10 17:39 <DIR> d-------- C:\Program Files\Elecard
2008-06-10 17:39 . 2008-06-10 17:39 <DIR> d-------- C:\Program Files\Common Files\Elecard
2008-06-10 17:29 . 2008-06-10 17:29 <DIR> d-------- C:\Program Files\Xvid
2008-06-10 17:29 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-10 17:29 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-10 17:29 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-08 21:36 . 2008-06-08 21:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-08 21:36 . 2008-06-08 21:36 2,547 --a------ C:\WINDOWS\unins000.dat
2008-06-08 01:44 . 2008-06-08 01:44 <DIR> d-------- C:\WINDOWS\resources
2008-06-08 01:31 . 2008-06-08 03:53 4,158 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 00:53 . 2008-06-08 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 22:47 . 2008-06-07 22:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-06-07 20:15 . 2008-06-07 20:15 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-06-07 03:56 . 2008-06-07 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-07 03:55 . 2008-06-25 01:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 03:55 . 2008-06-07 03:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 02:01 . 2008-06-07 02:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-06-07 02:01 . 2008-06-07 02:05 3,350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-07 02:01 . 2008-06-07 02:01 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\6DB4DC67D0.sys
2008-06-07 01:59 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-06-07 01:58 . 2008-06-07 01:59 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-07 01:58 . 2008-06-07 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-06-07 01:56 . 2008-06-07 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-06-07 01:55 . 2008-06-07 01:55 <DIR> d-------- C:\Program Files\Corel
2008-06-07 01:49 . 2008-06-07 01:49 <DIR> d-------- C:\Program Files\MagicISO
2008-05-31 17:59 . 2008-05-31 17:59 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-05-27 00:19 . 2008-05-27 00:19 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-05-27 00:19 . 2008-06-22 19:53 <DIR> d-------- C:\Program Files\Replay Media Catcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 16:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-26 08:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-06-24 02:42 --------- d-----w C:\Program Files\Softex
2008-06-24 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 02:26 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-23 05:11 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-23 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 04:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-06-23 03:59 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-06-23 03:57 --------- d-----w C:\Program Files\EA Games
2008-06-23 03:55 --------- d-----w C:\Program Files\Microsoft Games
2008-06-23 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-17 07:21 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-06-16 00:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Juniper Networks
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 08:44 --------- d-----w C:\Program Files\Updates from HP
2008-06-13 07:27 --------- d-----w C:\Program Files\Canon
2008-06-13 07:24 --------- d-----w C:\Program Files\Google
2008-06-13 07:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-11 01:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 01:18 --------- d-----w C:\Program Files\DivX
2008-06-07 10:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-17 01:28 --------- d-----w C:\Program Files\GIMP-2.0
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 04:31 --------- d-----w C:\Program Files\uTorrent
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 02:45 --------- d-----w C:\Program Files\GPLGS
2008-05-04 02:44 --------- d-----w C:\Program Files\Acro Software
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2007-12-22 03:56 5,757 ----a-w C:\Program Files\install.log
2007-10-22 11:49 867,848 ----a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab
2007-10-22 11:49 807,132 ----a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab
2007-10-22 11:49 49,392 ----a-w C:\Program Files\NOV2007_X3DAudio_x64.cab
2007-10-22 11:49 44,850 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-10-22 11:49 21,744 ----a-w C:\Program Files\NOV2007_X3DAudio_x86.cab
2007-10-22 11:49 200,010 ----a-w C:\Program Files\NOV2007_XACT_x64.cab
2007-10-22 11:49 151,512 ----a-w C:\Program Files\NOV2007_XACT_x86.cab
2007-10-22 11:49 1,805,306 ----a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab
2007-10-22 11:49 1,712,608 ----a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab
2006-03-18 06:22 8 ----a-w C:\Documents and Settings\Owner\Application Data\usb.dat.bin
2004-12-06 20:58 68,920 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-27 10:06 27 ----a-w C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
2004-11-04 08:45 2,268 ----a-w C:\Program Files\saap.log
2004-02-26 18:37 2,263,791 ---ha-w C:\Program Files\kyf.dat
2004-02-26 10:08 24,816 ---ha-w C:\Program Files\fiz6
2004-02-16 06:56 30,083 ---ha-w C:\Program Files\fiz5
2004-01-31 09:34 30,053 ---ha-w C:\Program Files\fiz4
2004-01-23 02:56 30,079 ---ha-w C:\Program Files\fiz3
2004-01-17 09:18 30,063 ---ha-w C:\Program Files\fiz2
2004-01-14 08:51 30,112 -c-ha-w C:\Program Files\fiz1
2003-05-01 16:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot_2008-06-13_ 0.31.32.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 08:24:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 01:32:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-16 00:48:57 40,960 ----a-r C:\WINDOWS\Installer\{97AE00A8-1336-410F-B467-1C6623127BD6}\ARPPRODUCTICON.exe
+ 2008-06-14 19:30:40 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-06-14 19:30:40 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-31 16:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 16:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-17 07:21:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2008-06-13 07:28:09 1,549,512 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-16 08:32:46 1,566,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2001-08-18 06:36:16 891,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPF940AL.DLL
+ 2001-08-18 06:36:16 1,853,952 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIMG50.DLL
+ 2004-08-04 07:56:42 87,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUD50.DLL
+ 2001-08-18 06:36:16 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUI50.DLL
+ 2004-08-04 07:56:46 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 07:56:46 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2004-08-04 07:56:34 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-22 20:25 24576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-13 22:53 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 03:23 172032]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55 483328]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 02:03 49152]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 01:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-06-18 18:19:08 53248]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 06:11:14 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamRam"= {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk.disabled
backup=C:\WINDOWS\pss\spamsubtract.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2003-06-18 18:19 53248 C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 06:07 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"CCALib8"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=3 (0x3)
"Browser"=2 (0x2)
"CiSvc"=3 (0x3)
"LmHosts"=2 (0x2)
"mnmsrvc"=3 (0x3)
"AOLService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\EA Games\\MOHAADemo\\MOHAADemo.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\EA Games\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"=
"C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:blizzard downloader
"6112:TCP"= 6112:TCP:*:Disabled:blizzard downloader
"6881:TCP"= 6881:TCP:*:Disabled:blizzard downloader
"6999:TCP"= 6999:TCP:*:Disabled:blizzard dowloader

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido\security suite\guard.sys [2004-11-22 06:15]
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-29 21:43]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2002-10-07 09:00]
R2 PSI_SVC_2;Protexis Licensing V2;"C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 05:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 17:40:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-26 17:42:07
ComboFix-quarantined-files.txt 2008-06-27 01:42:03
ComboFix2.txt 2008-06-24 02:12:13
ComboFix3.txt 2008-06-13 08:32:47
ComboFix4.txt 2008-06-08 23:52:23

Pre-Run: 15,187,001,344 bytes free
Post-Run: 15,179,747,328 bytes free

273 --- E O F --- 2008-06-20 06:19:42


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6510 bytes

[eddie5659]

Using CFScript removes files that are located with ComboFix more easily, as opposed to manually deleting them. Just means that sometimes you can get file names that look very similar to legit ones, so to avoid a mistake, we use CFScript

However, in this case, it didn't work

AVG may be stopping the deleting of files, so we'll disable it. Don't worry, we'll renable it afterwards:

• Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an S in the system tray.
• In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to inactive.
• If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
• Reply no and set it to inactive for the duration of your cleanup.

Re-open HiJackThis and choose do a system scan only. Check the boxes of all the entries listed below.

O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O21 - SSODL: RamRam - {662a573b-a057-44e7-a5dc-803e419a56e6} - C:\WINDOWS\Resources\RamRam.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete this file using Windows Explorer(if present):

C:\WINDOWS\Resources\RamRam.dll

Reboot to Windows


Post a fresh HJT log

[patrick_1]

When I booted into safe mode the C:\windows\resources\ramram.dll file was already gone. Looks like HJT fix removed the three offending items this time


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\hphmon05.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6259 bytes

[eddie5659]

Excellent

Lets see if OTMoveiIt will remove those other files:


OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Program Files\saap.log
  C:\Program Files\kyf.dat
  C:\Program Files\fiz6
  C:\Program Files\fiz5
  C:\Program Files\fiz4
  C:\Program Files\fiz3
  C:\Program Files\fiz2
  C:\Program Files\fiz1

  
  
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Alos, can you post a fresh panda scan

Edited by eddie5659, 01 July 2008 - 12:25 PM.