Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help: "Spyware attack" [CLOSED]


  • This topic is locked This topic is locked

#1
hyshi

hyshi

    Member

  • Member
  • PipPip
  • 56 posts
Dear GeeksToGo staff,

One of our desktops was infected recently. It kept popping up windows saying "Your computer is under spyware attack". The wallpaper changed to blood color. And in the start menu, the "All program" and some botton on the left column disappeared.

First we installed Ad-aware, Ad-watch, and avg_avwt. They stopped those message windows and the wallpaper changed to white. But the "All program" button is still missing.

Then we follow the instruction. The logs are listed below.

We are looking forward to your response.
Thank you so much.

hyshi
===========================================
1) Mbam log
-----------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.17
Database version: 846

3:01:40 PM 6/21/2008
mbam-log-6-21-2008 (15-01-40).txt

Scan type: Quick Scan
Objects scanned: 37265
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 6
Registry Data Items Infected: 14
Folders Infected: 8
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtuuRKd.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yvwygeou.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f81faba4-ff6a-4844-a5a8-df58ab969c0a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f81faba4-ff6a-4844-a5a8-df58ab969c0a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2bdec973-b5ac-4e5b-8ab3-5a0500880da2} (Spyware.Nuklus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2bdec973-b5ac-4e5b-8ab3-5a0500880da2} (Spyware.Nuklus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4860a57e (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2bdec973-b5ac-4e5b-8ab3-5a0500880da2} (Spyware.Nuklus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtuurkd -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtuurkd -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0011903-00106) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\awtuuRKd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dKRuutwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dKRuutwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yvwygeou.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uoegywvy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080613190206734.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

====================================================
2)SUPERAntiSpyware log
----------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
Generated 06/21/2008 at 04:52 PM

Application Version : 3.6.1000

Core Rules Database Version : 3487
Trace Rules Database Version: 1478

Scan type : Quick Scan
Total Scan Time : 01:17:24

Memory items scanned : 385
Memory threats detected : 0
Registry items scanned : 760
Registry threats detected : 17
File items scanned : 61871
File threats detected : 2

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FB68C59-C098-415B-8563-837B33DD7D0D}
HKCR\CLSID\{2FB68C59-C098-415B-8563-837B33DD7D0D}
HKCR\CLSID\{2FB68C59-C098-415B-8563-837B33DD7D0D}\InprocServer32
HKCR\CLSID\{2FB68C59-C098-415B-8563-837B33DD7D0D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJAQONG.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2FB68C59-C098-415B-8563-837B33DD7D0D}
HKCR\CLSID\{2FB68C59-C098-415B-8563-837B33DD7D0D}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Extensions\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\InprocServer32
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\InprocServer32#ThreadingModel
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\ProgID
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\Programmable
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\TypeLib
HKCR\CLSID\{8DE0FCD4-5EB5-11D3-AD25-00002100131B}\VersionIndependentProgID
C:\PROGRA~1\JINSHAN\XDICT\IEPLUGIN.DLL
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#userinit [ C:\WINDOWS\system32\ntos.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#userinit [ C:\WINDOWS\system32\ntos.exe ]

====================================================
3) ActiveScan log
---------------------------------------------------------------------------------------------
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-21 21:29:43
PROTECTIONS: 2
MALWARE: 23
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Trend Micro OfficeScan Antivirus 8.0 No No
AVG Anti-Virus 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0878B424-1F95-4e26-B5AB-F0D349D89650}
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
00029434 spyware/virtumonde Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
00045952 spyware/media-motor Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}
00063665 adware/pacimedia Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EC51659D-721F-4CBF-9CEA-5E776D89CEA9}
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\VundoFix\VundoFix\process.exe
00139535 Application/Processor HackTools No 0 Yes No G:\Download\smitRem.exe[smitRem/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\smitRem\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VundoFix.exe[process.exe]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.mediaplex.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.revenue.net/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.revenue.net/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[ad.yieldmanager.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.advertising.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.realmedia.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.adrevolver.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[searchportal.information.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.target.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No F:\EMAIL\NETSCAPE\YUE\9N34BTI7.SLT\COOKIES.TXT[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\Default User\gif02grf.slt\cookies.txt[.atwola.com/]
00275743 Trj/Downloader.ITV Virus/Trojan No 1 Yes No C:\.quarantine\r64loader.dll
00347108 Trj/1Table.C Virus/Trojan No 0 Yes No C:\.quarantine\六四活动.doc
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location r+
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\SYSTEM32\QNOUSRPM.DLL r+
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description r+
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

========================================================
4) HijackThis log
----------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:41 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\EHA475.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {045FC5CE-A173-411B-8C34-858B65238232} - C:\WINDOWS\system32\pmnmjGyA.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: rtsplgob - {35AC2E7A-937A-4F78-819C-47D26A812FE1} - C:\WINDOWS\rtsplgob.dll (file missing)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\JinShan\XDict\IEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://www.xintv.com...oad/ietimer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: mlJAqoNg - mlJAqoNg.dll (file missing)
O21 - SSODL: xkefqtgs - {A59E6A85-4E85-40D4-873B-9A1398651723} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10275 bytes
  • 0

Advertisements


#2
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello hyshi and Welcome to Geeks to Go!

Sorry for the delay.
We've been quite busy this week.

After checking your log, I found signs of malware on your system.
Please stick with me until I give you the all clear. :)

Please read this post completely before proceeding with the fix. If you have questions, don't hesitate to ask.

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next,

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Logs required on next post.
-MBAM log
-Vundofix log
-New HijackThis log
  • 0

#3
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hello koko crunch,

Thank you for the help. I'm so late because of the vacation.
Here are the logs.

1) MBAM log===================================




Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

11:50:46 PM 7/9/2008
mbam-log-7-9-2008 (23-50-46).txt

Scan type: Quick Scan
Objects scanned: 56912
Time elapsed: 14 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.bogs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_windev-7d32-b5e (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c:\documents and settings\all users\application data\adsl software limited\winspywareprotect\winspywareprotect.exe (Rogue.WinSpywareProtect) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\awtuuRKd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dKRuutwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dKRuutwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

2) Vundofix log========================================
The result is "No file is infected with vundo"

3) HijackThis log=======================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:39 AM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\TEMP\CN23C2.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {045FC5CE-A173-411B-8C34-858B65238232} - C:\WINDOWS\system32\pmnmjGyA.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: rtsplgob - {35AC2E7A-937A-4F78-819C-47D26A812FE1} - C:\WINDOWS\rtsplgob.dll (file missing)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\JinShan\XDict\IEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://www.xintv.com...oad/ietimer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: mlJAqoNg - mlJAqoNg.dll (file missing)
O21 - SSODL: xkefqtgs - {A59E6A85-4E85-40D4-873B-9A1398651723} - C:\WINDOWS\xkefqtgs.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 10078 bytes
  • 0

#4
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
You have multiple Antivirus Installed. Having more than one resident anti-virus can cause conflicts resulting to hang ups and poor perfomance. Are you still able to update Officescan? If yes, then I suggest you removing AVG instead.

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {045FC5CE-A173-411B-8C34-858B65238232} - C:\WINDOWS\system32\pmnmjGyA.dll (file missing)
O3 - Toolbar: rtsplgob - {35AC2E7A-937A-4F78-819C-47D26A812FE1} - C:\WINDOWS\rtsplgob.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\JinShan\XDict\IEPlugin.dll (file missing)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://www.xintv.com...oad/ietimer.cab
O20 - Winlogon Notify: mlJAqoNg - mlJAqoNg.dll (file missing)
O21 - SSODL: xkefqtgs - {A59E6A85-4E85-40D4-873B-9A1398651723} - C:\WINDOWS\xkefqtgs.dll (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.
Close HiJackThis.

Then,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\pmnmjGyA.dll
    C:\WINDOWS\rtsplgob.dll
    c:\windows\system32\drivers\uzcx.exe
    C:\PROGRA~1\JinShan\XDict\IEPlugin.dll
    C:\WINDOWS\xkefqtgs.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Finally,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Logs required on next post.
- OTMoveIt log
- Sdfix log
- New Hijackthis log
  • 0

#5
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hello koko crunch,

I have removed AVG, and I don't have Office scan.
Here are the latest logs.

1) OTMoveIt log ======================================
File/Folder C:\WINDOWS\system32\pmnmjGyA.dll not found.
File/Folder C:\WINDOWS\rtsplgob.dll not found.
File/Folder c:\windows\system32\drivers\uzcx.exe not found.
File/Folder C:\PROGRA~1\JinShan\XDict\IEPlugin.dll not found.
File/Folder C:\WINDOWS\xkefqtgs.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07122008_130129

2) Sdfix log =========================================

SDFix: Version 1.204
Run by Owner on 07/12/2008 Sat at 01:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
wincom32

Path :
\??\C:\WINDOWS\system32\wincom32.sys

wincom32 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\LSPRST7.DLL - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 13:44:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\h黓
"禊T\x20ac???"=dword:00000001
"禊9eQ???"=dword:00000001
"\20?nO:y??"=dword:00000001
"\26Y\1xO:y?"=dword:00000001
"]zz<h?"=dword:00000000
"IQ\ah朑??"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\厅]
"禊T\x20ac???"=dword:00000001
"禊9eQ???"=dword:00000001
"\20?nO:y??"=dword:00000001
"\26Y\1xO:y?"=dword:00000001
"]zz<h?"=dword:00000000
"IQ\ah朑??"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealOne Player"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Netscape7\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape7\\Netscape\\Netscp.exe:*:Enabled:Netscape"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Documents and Settings\\Owner\\Desktop\\rsgxbrG_Pinch.exe"="C:\\Documents and Settings\\Owner\\Desktop\\rsgxbrG_Pinch.exe:*:Enabled:Enabled"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 12 Aug 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Thu 12 Aug 2004 0 ..SHR --- "C:\WINDOWS\SMINST\NPC.sys"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\aeioan2.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\byg64gb.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\c95g510.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\ccqosgp.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\cl3e5fu.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\ed8dddb.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\enjz89v.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\fhjb50e.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\i9xb7gg.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\kjuz600.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\lfx27pw.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\ot0py5x.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\q19icoq.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\wez5y9g.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINDOWS\system32\yeqidgy.dll"
Wed 15 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT24.tmp"
Wed 30 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\734c918b43359bcdbde50b62df605e5f\BIT4F.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c57cd590c1f8d8f8f70d62332e13288c\BIT27.tmp"

Finished!

3) Hijackthis log =========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:11 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\IXF7DD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8432 bytes


==================================================
Thans a lot.

hyshi
  • 0

#6
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
It got some of the bad files.
Let's run another tool for diagnostic.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt

    Please attach main.txt and extra.txt on your next reply.

  • 0

#7
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi, we've finished this round of scan. Here are the files.

Thanks for checking it. Really appreciate your help.

Don't worry about the delay. We are late too.

1) main.txt ------------------------------------------------------------




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-17 18:30:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-07-17 22:30:57 UTC - RP1346 - Deckard's System Scanner Restore Point
41: 2008-07-17 22:06:36 UTC - RP1345 - Software Distribution Service 3.0
40: 2008-07-17 04:37:51 UTC - RP1344 - System Checkpoint
39: 2008-07-16 03:50:57 UTC - RP1343 - System Checkpoint
38: 2008-07-15 03:37:45 UTC - RP1342 - System Checkpoint


-- First Restore Point --
1: 2008-06-15 20:57:33 UTC - RP1305 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:36 PM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\ORD29A.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8750 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080712-125518-582 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20080712-125518-698 O2 - BHO: (no name) - {045FC5CE-A173-411B-8C34-858B65238232} - C:\WINDOWS\system32\pmnmjGyA.dll (file missing)
backup-20080712-125518-729 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080712-125518-802 O3 - Toolbar: rtsplgob - {35AC2E7A-937A-4F78-819C-47D26A812FE1} - C:\WINDOWS\rtsplgob.dll (file missing)
backup-20080712-125518-915 O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
backup-20080712-125519-341 O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://www.xintv.com...oad/ietimer.cab
backup-20080712-125519-502 O21 - SSODL: xkefqtgs - {A59E6A85-4E85-40D4-873B-9A1398651723} - C:\WINDOWS\xkefqtgs.dll (file missing)
backup-20080712-125519-633 O20 - Winlogon Notify: mlJAqoNg - mlJAqoNg.dll (file missing)
backup-20080712-125519-819 O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\JinShan\XDict\IEPlugin.dll (file missing)
backup-20080712-125519-836 O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
backup-20080712-125520-463 O24 - Desktop Component 0: Privacy Protection - (no file)

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ewido security suite driver - c:\program files\spywarekiller\ewido\security suite\guard.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S2 windev-7d32-b5e - c:\windows\system32\windev-7d32-b5e.sys (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S4 ewido security suite guard - c:\program files\spywarekiller\ewido\security suite\ewidoguard.exe <Not Verified; ewido networks; guard>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 18:06:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-12 19:29:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2004-08-12 17:09:13 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-12 19:38:01 0 d-------- C:\Program Files\iTunes
2008-07-12 19:35:50 0 d-------- C:\Program Files\QuickTime
2008-07-12 13:13:39 0 d-------- C:\WINDOWS\ERUNT
2008-07-12 12:31:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-10 00:11:44 0 d-------- C:\VundoFix Backups
2008-06-21 15:27:21 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-21 15:26:50 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-21 15:26:50 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-21 14:21:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 14:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 14:21:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 14:20:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 10:47:29 91904 -----n--- C:\WINDOWS\system32\yvwygeou.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-12 19:38:15 0 d-------- C:\Program Files\iPod
2008-06-22 12:12:59 0 d-------- C:\Program Files\Trend Micro
2008-06-21 15:25:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 14:20:51 0 d-------- C:\Program Files\Common Files
2008-06-14 22:57:48 0 d-------- C:\Program Files\Panda Security
2008-06-14 21:35:24 237537 --ahs---- C:\WINDOWS\system32\AyGjmnmp.ini2
2008-06-14 13:54:01 0 d-------- C:\Program Files\spywarekiller
2008-06-14 13:53:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-14 13:49:49 0 d-------- C:\Program Files\Lavasoft
2008-06-14 13:23:18 0 d-------- C:\Program Files\AVG
2008-06-13 01:04:22 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-27 09:53:49 348160 --a------ C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; Microsoft? Visual Studio .NET>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 04:51 PM]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [08/21/2003 06:15 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 01:43 PM]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 06:57 PM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 01:31 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/29/2002 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/29/2002 05:00 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 04:55 PM]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [05/12/2008 01:48 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/27/2008 09:53 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2008 05:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PopSubtract.lnk - C:\Program Files\InterMute\PopSubtract\PopSub.exe [8/15/2004 6:18:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= C:\Program Files\interMute\SpySubtract\sshook.dll [08/21/2004 09:20 AM 73728]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/21/2008 05:24 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/21/2008 05:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVC]
C:\Program Files\UVC calendar\UVC.exe -bootstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d0c3ae4-06ab-11dd-9163-0011091aa80e}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-17 18:34:05 ------------


2) extra.txt -------------------------------------------------------------------------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 78%
Physical Memory (total/avail): 247.48 MiB / 54.38 MiB
Pagefile Memory (total/avail): 606.35 MiB / 171.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.99 MiB

C: is Fixed (NTFS) - 19.53 GiB total, 5.93 GiB free.
D: is Fixed (FAT32) - 4.85 GiB total, 1.18 GiB free.
E: is CDROM (No Media)
F: is Fixed (FAT32) - 50.12 GiB total, 14.17 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800BB-22FJA1 - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 4.86 GiB - D:
\PARTITION1 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 50.14 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Trend Micro Personal Firewall v3.32 (Trend Micro Inc.) Disabled
AV: Trend Micro OfficeScan Antivirus v8.0 (TrendAntiVirus)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealOne Player"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Netscape7\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape7\\Netscape\\Netscp.exe:*:Enabled:Netscape"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Documents and Settings\\Owner\\Desktop\\rsgxbrG_Pinch.exe"="C:\\Documents and Settings\\Owner\\Desktop\\rsgxbrG_Pinch.exe:*:Enabled:Enabled"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOMEHP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\HOMEHP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SYSAPPTOP=C:\Program Files\SYSTAT 12\
SystemDrive=C:
SystemRoot=C:\WINDOWS
SYSUSERTOP=C:\Documents and Settings\Owner\SYSTAT_12
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=HOMEHP
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Reader Chinese Simplified Fonts --> MsiExec.exe /I{AC76BA86-7AD7-2447-5A64-7E8A45000001}
Agere Systems PCI Soft Modem --> agrsmdel
Analyse-it for Microsoft Excel --> C:\Program Files\Analyse-it\system\setup.exe /u
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AT&T CallVantage Assistant --> C:\WINDOWS\CVBackup\CVUninstaller.exe
BitComet 0.57 --> C:\Program Files\BitComet\uninst.exe
Blackhawk Striker from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E28167F1-3F42-40C7-9119-1D5A97444F10\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Bounce Symphony from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Cluster 3.0 --> "F:\Cluster\unins000.exe"
Crystal Maze from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292\Uninstall.exe"
ewido security suite --> C:\Program Files\spywarekiller\ewido\security suite\Uninstall.exe
ffdshow [rev 1900] [2008-03-15] --> "C:\Program Files\ffdshow\unins000.exe"
Five Card Frenzy from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DA44615A-C243-46A4-8E47-184CFF33CD38\Uninstall.exe"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
GraphPad Prism 4 Demo --> "C:\Program Files\GraphPad\Prism 4\unins002.exe"
GraphPad Prism 5 (Trial) --> "C:\Program Files\GraphPad\Prism 5\Uninst_Prism 5 (Trial).exe" /U "C:\Program Files\GraphPad\Prism 5\Uninst_Prism 5 (Trial).log"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall (for Netscape) --> C:\WINDOWS\uninstoc.exe -f"C:\Program Files\Netscape4\Communicator\Program\Plugins\DeIsL1.isu"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 3.5 --> C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
HPIZ350 --> MsiExec.exe /X{F247869D-3643-4A9F-821B-3534145928E3}
í?à-?ú --> C:\PROGRA~1\game\4CF0~1\UNWISE.EXE C:\PROGRA~1\game\4CF0~1\INSTALL.LOG
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iPod for Windows 2005-11-17 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8338BA06-E527-491B-9400-F51708FEE695} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java Web Start --> "C:\Program Files\Java\j2re1.4.2_03\javaws\uninst-javaws.exe"
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (1.0.7) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.7 (en-US)"
Nero - Burning Rom (Web installer) --> C:\WINDOWS\UNNERO.exe /UNINSTALL
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Netscape Communicator 4.79 --> C:\WINDOWS\cd32.exe 4.79 (en)
NJStar Communicator --> "C:\Program Files\NJStar Communicator\Remove.exe" /U:"C:\Program Files\NJStar Communicator\Remove.log"
Orbital from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe"
Otto from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe"
Overball from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Polar Bowler from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe"
PopSubtract --> "C:\Program Files\InterMute\PopSubtract\PopSub.exe" C:\PROGRA~1\INTERM~1\POPSUB~1\STYLES~1\UNWISE.EXE /A C:\PROGRA~1\INTERM~1\POPSUB~1\STYLES~1\INSTALL.LOG
PowerQuest PartitionMagic Pro 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E39C74DF-58FD-4E52-9888-2CC59DFB0B34}\Setup.exe"
PowerWord 2002 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C87827F-75BE-4D5C-AF7B-88D48D9BFFD7}\setup.exe"
Print Server --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\D-Link\Print Server\Uninst.isu"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SereneScreen Marine Aquarium Time --> "C:\Program Files\SereneScreen Marine Aquarium Time\unins000.exe"
Slyder from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\Program Files\InterMute\SpamSubtract\SSuinst.exe
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SYSTAT 12 --> MsiExec.exe /I{4EB092F5-185E-4FE6-8ED7-23F61C17D76C}
SYSTAT 12 Manuals --> MsiExec.exe /I{D683E370-3B68-4BE0-8C29-1326F2EABCCC}
Toolkit View(HP) --> c:\Windows\HPTK\unhptkit.exe
Tradewinds from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe"
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Vim 6.3 (self-installing) --> F:\Vim\vim63\uninstall-gui.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Word Symphony from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B8610D19-E576-4F91-8A2F-07898D9CA301\Uninstall.exe"
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui


-- Application Event Log -------------------------------------------------------

Event Record #/Type15282 / Error
Event Submitted/Written: 07/17/2008 06:06:41 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type15278 / Error
Event Submitted/Written: 07/17/2008 05:45:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ps2.exe, version 1.0.2.1, faulting module ps2.exe, version 1.0.2.1, fault address 0x00003383.
Processing media-specific event for [ps2.exe!ws!]

Event Record #/Type15271 / Warning
Event Submitted/Written: 07/16/2008 00:30:49 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type15262 / Error
Event Submitted/Written: 07/14/2008 09:03:15 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ps2.exe, version 1.0.2.1, faulting module ps2.exe, version 1.0.2.1, fault address 0x00003383.
Processing media-specific event for [ps2.exe!ws!]

Event Record #/Type15259 / Warning
Event Submitted/Written: 07/14/2008 01:25:43 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type58345 / Error
Event Submitted/Written: 07/17/2008 05:45:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The windev-7d32-b5e service failed to start due to the following error:
%%2

Event Record #/Type58321 / Error
Event Submitted/Written: 07/16/2008 08:33:20 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The windev-7d32-b5e service failed to start due to the following error:
%%2

Event Record #/Type58296 / Error
Event Submitted/Written: 07/15/2008 07:18:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The windev-7d32-b5e service failed to start due to the following error:
%%2

Event Record #/Type58270 / Error
Event Submitted/Written: 07/14/2008 09:03:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The windev-7d32-b5e service failed to start due to the following error:
%%2

Event Record #/Type58243 / Error
Event Submitted/Written: 07/13/2008 01:18:36 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The windev-7d32-b5e service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-17 18:34:05 ------------
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Koko is away


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O24 - Desktop Component 0: Privacy Protection - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\yvwygeou.dll
    C:\WINDOWS\system32\AyGjmnmp.ini2
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d0c3ae4-06ab-11dd-9163-0011091aa80e}
    G:\LaunchU3.exe
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new DSS log
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post the logs
  • 0

Advertisements


#11
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Thank you for checking the logs. Here they are.

1) OTMoveItLog---------------------------------------------




Explorer killed successfully
LoadLibrary failed for C:\WINDOWS\system32\yvwygeou.dll
C:\WINDOWS\system32\yvwygeou.dll NOT unregistered.
C:\WINDOWS\system32\yvwygeou.dll moved successfully.
C:\WINDOWS\system32\AyGjmnmp.ini2 moved successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d0c3ae4-06ab-11dd-9163-0011091aa80e} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d0c3ae4-06ab-11dd-9163-0011091aa80e}\\ deleted successfully.
File/Folder G:\LaunchU3.exe not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\ mon007.log scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WIFDE2.EXE scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08022008_134743

Files moved on Reboot...
C:\DOCUME~1\Owner\LOCALS~1\Temp\ mon007.log moved successfully.
File C:\WINDOWS\temp\WIFDE2.EXE not found!

2) Kaspersky log --------------------------------------------------




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 02, 2008 9:05:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/08/2008
Kaspersky Anti-Virus database records: 1044982
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 122300
Number of viruses found: 6
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 02:00:26

Infected Object Name / Virus Name / Last Action
C:\.quarantine\六四活动.doc Infected: Trojan-Dropper.MSWord.1Table.ea skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02112007-105802.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-8-2-2008( 14-10-47 ).LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5577.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UDO1WLQZ\AV2009Install_880488[1].exe Infected: not-a-virus:FraudTool.Win32.Antivirus2009.j skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP1360\change.log Object is locked skipped
C:\VIRUS\goo[1].htm Infected: Trojan-Downloader.VBS.Psyme.qh skipped
C:\VIRUS\kkk[1].htm Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V10 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V11 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V12 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V13 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V14 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V15 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V16 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V17 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V18 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V19 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V20 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V21 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].V22 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI0 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI1 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI2 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI3 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI4 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI5 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI6 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI7 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI8 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VI9 Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\VIRUS\kkk[1].VIR Infected: Trojan-Downloader.VBS.Psyme.qi skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\KB904117.VIR Infected: Trojan-Spy.Win32.BZub.bkm skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

2) dss log -------------------------------------------------------




Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-02 21:07:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:57 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\KGD111.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9926 bytes

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 14:34:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-02 14:34:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-02 14:34:50 0 d-------- C:\WINDOWS\LastGood
2008-07-25 19:55:23 0 d-------- C:\WINDOWS\system32\log
2008-07-19 22:14:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-07-19 22:07:01 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-19 22:06:59 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-19 22:01:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-07-19 22:01:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-19 22:00:26 0 d-------- C:\Program Files\Skype
2008-07-19 22:00:25 0 d-------- C:\Program Files\Common Files\Skype
2008-07-19 22:00:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-12 19:38:01 0 d-------- C:\Program Files\iTunes
2008-07-12 19:35:50 0 d-------- C:\Program Files\QuickTime
2008-07-12 13:13:39 0 d-------- C:\WINDOWS\ERUNT
2008-07-12 12:31:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-10 00:11:44 0 d-------- C:\VundoFix Backups


-- Find3M Report ---------------------------------------------------------------

2008-07-19 22:01:01 0 d-------- C:\Program Files\Google
2008-07-19 22:00:25 0 d-------- C:\Program Files\Common Files
2008-07-12 19:38:15 0 d-------- C:\Program Files\iPod
2008-07-09 23:21:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 12:12:59 0 d-------- C:\Program Files\Trend Micro
2008-06-21 17:24:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-21 15:26:50 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-21 15:25:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 14:21:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-21 14:20:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-14 22:57:48 0 d-------- C:\Program Files\Panda Security
2008-06-14 13:54:01 0 d-------- C:\Program Files\spywarekiller
2008-06-14 13:53:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-06-14 13:49:49 0 d-------- C:\Program Files\Lavasoft
2008-06-14 13:23:18 0 d-------- C:\Program Files\AVG
2008-06-13 01:04:22 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 04:51 PM]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [08/21/2003 06:15 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 01:43 PM]
"VTTimer"="VTTimer.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 06:57 PM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 01:31 AM]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/29/2002 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/29/2002 05:00 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 04:55 PM]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/16/2008 10:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/27/2008 09:53 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2008 05:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/28/2008 11:35 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PopSubtract.lnk - C:\Program Files\InterMute\PopSubtract\PopSub.exe [8/15/2004 6:18:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= C:\Program Files\interMute\SpySubtract\sshook.dll [08/21/2004 09:20 AM 73728]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/21/2008 05:24 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/21/2008 05:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVC]
C:\Program Files\UVC calendar\UVC.exe -bootstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ed86e6e-03f1-11dd-915e-0011091aa80e}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-08-02 21:08:27 ------------
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UDO1WLQZ\AV2009Install_880488[1].exe
    C:\Program Files\Common Files\Real\Toolbar\RealBar.dll 
    C:\VIRUS
    C:\WINDOWS\KB904117.VIR
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ed86e6e-03f1-11dd-915e-0011091aa80e}
    H:\LaunchU3.exe 
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Reboot and post a new HijackThis log
  • 0

#13
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Rorschach112,

We did those scans. Here are the logs from them. j
Thank you.

hyshi

1) OTMoveItLog ======================================




Explorer killed successfully
< C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UDO1WLQZ\AV2009Install_880488[1].exe >
File/Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UDO1WLQZ\AV2009Install_880488[1].exe not found.
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll unregistered successfully.
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll moved successfully.
C:\VIRUS moved successfully.
C:\WINDOWS\KB904117.VIR moved successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ed86e6e-03f1-11dd-915e-0011091aa80e} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ed86e6e-03f1-11dd-915e-0011091aa80e}\\ deleted successfully.
File/Folder H:\LaunchU3.exe not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF7681.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZH9736.EXE scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08052008_173035

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF7681.tmp not found!
File C:\WINDOWS\temp\ZH9736.EXE not found!

2) MBAM log =====================================




Malwarebytes' Anti-Malware 1.24
Database version: 1028
Windows 5.1.2600 Service Pack 2

6:11:30 PM 8/5/2008
mbam-log-8-5-2008 (18-11-30).txt

Scan type: Quick Scan
Objects scanned: 39861
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_windev-7d32-b5e (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4b5396e2.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM4b5396e2.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

3) Hijackthis log ==================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:16 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\YBE721.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EVoIpSessionCookie Class - {424B6AD1-785D-43e7-9C9B-AB96E77477D0} - C:\Program Files\attcv\Programs\EVoIPAxCtrls.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF} (Abx Control) - http://real.gamehous...ureball/abx.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://real.gamehous...s/r64loader.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098329103156
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://comcast.obero...mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://real.gamehous...inematycoon.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spywarekiller\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9840 bytes
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
One more scan

Please download Runscanner to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here. If the forum doesn't let you upload it then please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post (you may have to zip the .run file to upload it here).
  • 0

#15
hyshi

hyshi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi,

Here is the run file. Below is the log file, in case you need it.
Thank you.

============================================
Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

000 General info
----------------
Computer name : HOMEHP
Creation time : 8/6/2008 6:49:06 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.6.3.0
User Language : Chinese (PRC)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft)
* c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Inc.)
* c:\windows\system32\alg.exe (Microsoft Corporation)
c:\program files\bonjour\mdnsresponder.exe (Apple Inc.)
* c:\windows\system32\csrss.exe (Microsoft Corporation)
* c:\windows\system32\ctfmon.exe (Microsoft Corporation)
c:\program files\spywarekiller\ewido\security suite\ewidoctrl.exe (ewido networks)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
* c:\windows\system32\hkcmd.exe (Intel Corporation)
c:\windows\system32\hphmon05.exe (Hewlett-Packard)
c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
* c:\windows\system32\igfxtray.exe (Intel Corporation)
* c:\program files\internet explorer\iexplore.exe (Microsoft Corporation)
* c:\windows\system32\lsass.exe (Microsoft Corporation)
* c:\program files\trend micro\officescan client\tmpfw.exe (Trend Micro Inc.)
* c:\windows\temp\pmc5f6.exe (Trend Micro Inc.)
c:\program files\intermute\popsubtract\popsub.exe (interMute, Inc.)
* c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
* c:\documents and settings\owner\local settings\temp\wz19c\runscanner.exe (Runscanner.net)
* c:\program files\windows defender\msmpeng.exe (Microsoft Corporation)
* c:\windows\system32\services.exe (Microsoft Corporation)
* c:\windows\agrsmmsg.exe (Agere Systems)
* c:\windows\system32\spoolsv.exe (Microsoft Corporation)
c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)
* c:\program files\trend micro\officescan client\tmlisten.exe (Trend Micro Inc.)
* c:\program files\trend micro\officescan client\ntrtscan.exe (Trend Micro Inc.)
* c:\program files\trend micro\officescan client\cntaosmgr.exe (Trend Micro Inc.)
* c:\program files\trend micro\officescan client\pccntmon.exe (Trend Micro Inc.)
c:\program files\viewpoint\common\viewpointservice.exe (Viewpoint Corporation)
* c:\program files\viewpoint\viewpoint manager\viewmgr.exe (Viewpoint Corporation)
* c:\windows\explorer.exe (Microsoft Corporation)
* c:\windows\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\system32\smss.exe (Microsoft Corporation)
* c:\windows\system32\wdfmgr.exe (Microsoft Corporation)
c:\progra~1\winzip\winzip32.exe (WinZip Computing LP)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\common files\apple\mobile device support\bin\applesyncnotifier.exe (Apple Inc.)
c:\windows\system32\hphmon05.exe (Hewlett-Packard)
c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
* c:\program files\itunes\ituneshelper.exe (Apple Inc.)
c:\windows\system32\nerocheck.exe (Ahead Software Gmbh)
c:\program files\quicktime\qttask.exe (Apple Inc.)
c:\windows\sminst\recguard.exe
* c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
- vttimer.exe

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
c:\progra~1\interm~1\popsub~1\popsub.exe (interMute, Inc.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device)
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
c:\program files\bonjour\mdnsresponder.exe (Bonjour Service)
c:\program files\spywarekiller\ewido\security suite\ewidoctrl.exe (ewido security suite control)
c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
* c:\program files\ipod\bin\ipodservice.exe (iPod Service)
* c:\program files\lavasoft\ad-aware\aawservice.exe (Lavasoft Ad-Aware Service)
c:\program files\viewpoint\common\viewpointservice.exe (Viewpoint Manager Service)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* c:\windows\system32\drivers\afs2k.sys (AFS2k)
- c:\docume~1\owner\locals~1\temp\catchme.sys (catchme)
- c:\windows\system32\drivers\changer.sys (Changer)
c:\program files\spywarekiller\ewido\security suite\guard.sys (ewido security suite driver)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEAR CDRom Filter)
- c:\windows\system32\drivers\i2omgmt.sys (i2omgmt)
- c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
- c:\windows\system32\drivers\pcidump.sys (PCIDump)
- c:\windows\system32\drivers\pdcomp.sys (PDCOMP)
- c:\windows\system32\drivers\pdframe.sys (PDFRAME)
- c:\windows\system32\drivers\pdreli.sys (PDRELI)
- c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
c:\windows\system32\drivers\pqntdrv.sys (PQNTDrv)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
c:\program files\superantispyware\sasdifsv.sys (SASDIFSV)
c:\program files\superantispyware\sasenum.sys (SASENUM)
c:\program files\superantispyware\saskutil.sys (SASKUTIL)
- c:\windows\system32\drivers\wdica.sys (WDICA)
- c:\windows\system32\windev-7d32-b5e.sys (windev-7d32-b5e)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
----------------------------------------------------------------
-

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll {47833539-D0C5-4125-9FA8-0819E2EAAC93}
c:\program files\hp\digital imaging\bin\hpdtlk02.dll (Hewlett-Packard Company) {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.) {EF99BD32-C1FB-11D2-892F-0090271D4F88}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
- c:\program files\messenger\msmsgs.exe {FB5F1910-F110-11d2-BB9E-00C04F795683}

044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
------------------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll {47833539-D0C5-4125-9FA8-0819E2EAAC93}
c:\program files\hp\digital imaging\bin\hpdtlk02.dll (Hewlett-Packard Company) {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll {47833539-D0C5-4125-9FA8-0819E2EAAC93}
c:\program files\hp\digital imaging\bin\hpdtlk02.dll (Hewlett-Packard Company) {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.) {EF99BD32-C1FB-11D2-892F-0090271D4F88}

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
c:\program files\spywarekiller\ewido\security suite\shellhook.dll {54D9498B-CF93-414F-8984-8CE7FDE0D391}
c:\program files\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
c:\program files\intermute\spysubtract\sshook.dll (InterMute, Inc.) {FA010552-4A27-4cb1-A1BB-3E2D697F1639}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll {AE7CD045-E861-484f-8273-0445EE161910}
c:\program files\attcv\programs\evoipaxctrls.dll {424B6AD1-785D-43e7-9C9B-AB96E77477D0}
* c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
c:\program files\java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll (Yahoo! Inc.) {02478D38-C3F9-4efb-9B51-7695ECA05670}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
* c:\program files\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
c:\program files\recordnow!\shlext.dll {DEE12703-6333-4D4E-8F34-738C4DCC2E04}
c:\windows\system32\shellvrtf.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
* c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\program files\intermute\spysubtract\sshook.dll (InterMute, Inc.) {FA010552-4A27-4cb1-A1BB-3E2D697F1639}
f:\vim\vim63\gvimext.dll (Tianmiao Hu's Developer Studio) {51EEE242-AD87-11d3-9C1E-0090278BBD99}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79305-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79306-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79307-84BE-11CE-9641-444553540000}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
* C:\WINDOWS\system32\lsdelete.exe

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
c:\program files\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)

068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
--------------------------------------------------------------------------------
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)
C:\WINDOWS\system32\spsublsp.dll (InterMute, Inc.)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.)
C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)
C:\WINDOWS\system32\prtdlink.dll

073 %windir%\Tasks
------------------
AppleSoftwareUpdate.job : c:\program files\apple software update\softwareupdate.exe (Apple Inc.)

100 Internet Explorer settings
------------------------------
Default_Page_URL HKCU : http://ie.redirect.h...a...&pf=desktop
Default_Page_URL HKLM : http://ie.redirect.h...a...&pf=desktop
Default_Search_URL HKCU : http://ie.redirect.h...a...&pf=desktop
Start Page HKCU : http://www.yahoo.com/
Start Page HKLM : http://ie.redirect.h...a...&pf=desktop

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
------------------------------------------------------------------
GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll {182EC0BE-5110-49C8-A062-BEB1D02A220B}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
- c:\windows\downlo~1\abx.ocx {0E0D50BC-E086-4E3A-B07D-C5C5869C0FFF}
c:\windows\system32\kaspersky lab\kaspersky online scanner\kavwebscan.dll (Kaspersky Lab) {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
- c:\windows\downloaded program files\r64loader.dll {288C5F13-7E52-4ADA-A32E-F5BF9D125B84}
- c:\windows\downloaded program files\as2stubie.dll {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}
- c:\windows\downloaded program files\atomaders.dll {64D01C7F-810D-446E-A07E-365764235644}
- c:\windows\downloaded program files\mjolauncher.dll {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A}
c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
- c:\windows\downloaded program files\asinst.dll {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
- c:\windows\downloaded program files\npsibelius.dll {A8F2B9BD-A6A0-486A-9744-18920D898429}
c:\program files\java\j2re1.4.1_02\bin\npjpi141_02.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
c:\program files\java\j2re1.4.2_03\bin\npjpi142_03.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
- c:\windows\downloaded program files\gpcontrol.dll {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41}
- c:\windows\downloaded program files\rumblecube.dll {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Add To HP Organize... : C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
E&xport to Microsoft Excel : res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
---------------------------------------------------------------------------------
c:\program files\bonjour\mdnsnsp.dll (Apple Inc.)

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
{9ed86e6e-03f1-11dd-915e-0011091aa80e} : H:\LaunchU3.exe -a

171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE
-------------------------------------------
c:\windows\system32\mat.scr (SereneScreen)

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
c:\program files\spywarekiller\ewido\security suite\context.dll (ewido networks) {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
f:\vim\vim63\gvimext.dll (Tianmiao Hu's Developer Studio) {51EEE242-AD87-11d3-9C1E-0090278BBD99}
c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}

221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
-------------------------------------------------------
c:\program files\adobe\acrobat 6.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
c:\program files\spywarekiller\ewido\security suite\context.dll (ewido networks) {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
f:\vim\vim63\gvimext.dll (Tianmiao Hu's Developer Studio) {51EEE242-AD87-11d3-9C1E-0090278BBD99}
c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}

223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
--------------------------------------------------------------------------
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
------------------------------------------------------------
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}

227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
---------------------------------------------------------------
c:\program files\spywarekiller\ewido\security suite\context.dll (ewido networks) {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP