Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware Infection [RESOLVED]

Started by Navy Seal , Jul 08 2008 01:26 PM

This topic is locked

#1
Navy Seal

Posted 08 July 2008 - 01:26 PM

Member

Member
119 posts

Hello there. For the past few weeks ive been getting a lot of popups and alerts that i have a virus/trojan/spyware. Some sites that i normally go to have been flagged as virus potential if i go to the site. Just trying to rid my computer of all this malware and have it be clean again! Below are the logs from malwarebytes, superantispyware, panda scan, and the hijackthis/hijackthis uninstall list log. Thanks for your help in advance!

Malwarebytes Log

Malwarebytes' Anti-Malware 1.19
Database version: 930
Windows 5.1.2600 Service Pack 2

5:43:03 PM 6/7/2008
mbam-log-6-7-2008 (17-43-03).txt

Scan type: Quick Scan
Objects scanned: 37883
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1066f7c4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
H:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Files Infected:
H:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Documents and Settings\Stearns\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
H:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

Superantispyware Log

SUPERAntiSpyware Scan Log
Generated 06/07/2008 at 08:02 PM

Application Version : 3.6.1000

Core Rules Database Version : 3498
Trace Rules Database Version: 1489

Scan type : Complete Scan
Total Scan Time : 02:14:44

Memory items scanned : 365
Memory threats detected : 0
Registry items scanned : 4057
Registry threats detected : 8
File items scanned : 195704
File threats detected : 260

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}
HKCR\CLSID\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}
HKCR\CLSID\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}\InprocServer32
HKCR\CLSID\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}\InprocServer32#ThreadingModel
H:\WINDOWS\SYSTEM32\SSQOHXWQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{84C53226-C282-41FE-A4B4-8F05CC5EC24B}
HKCR\CLSID\{84C53226-C282-41FE-A4B4-8F05CC5EC24B}

Rogue.AntiVirus 2008 Pro
HKU\S-1-5-21-725345543-1715567821-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run#antivirus-2008pro.exe [ H:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe ]

Adware.Tracking Cookie
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@247realmedia[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@adrevolver[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@advertising[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atdmt[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atwola[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@bluestreak[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@burstnet[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@casalemedia[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@fastclick[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@hitbox[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@imrworldwide[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@insightexpressai[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@interclick[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@media6degrees[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@mediaplex[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@realmedia[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@revsci[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@specificclick[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@statcounter[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@tacoda[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@trafficmp[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@tribalfusion[2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@zedo[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@fastclick[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@247realmedia[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@adrevolver[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@advertising[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@atdmt[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@atwola[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@bluestreak[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@burstnet[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@casalemedia[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@fastclick[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@hitbox[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@imrworldwide[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@insightexpressai[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@interclick[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@media6degrees[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@mediaplex[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@realmedia[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@revsci[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@specificclick[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@statcounter[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@tacoda[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@trafficmp[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@tribalfusion[2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@zedo[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@fastclick[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@247realmedia[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@adrevolver[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@advertising[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@atdmt[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@atwola[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@bluestreak[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@burstnet[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@casalemedia[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@fastclick[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@hitbox[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@imrworldwide[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@insightexpressai[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@interclick[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@media6degrees[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@mediaplex[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@realmedia[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@revsci[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][3].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@specificclick[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@statcounter[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@tacoda[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@trafficmp[1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@tribalfusion[2].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][1].txt
C:\Documents and Settings\Stephen\Cookies\Low\[email protected][2].txt
C:\Documents and Settings\Stephen\Cookies\Low\stephen@zedo[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@apmebf[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@doubleclick[1].txt
C:\Documents and Settings\Stephen\Cookies\stephen@fastclick[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@247realmedia[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@adrevolver[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@advertising[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@apmebf[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atdmt[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atwola[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@bluestreak[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@burstnet[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@casalemedia[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@doubleclick[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@fastclick[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@hitbox[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@imrworldwide[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@insightexpressai[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@interclick[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@media6degrees[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@mediaplex[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@realmedia[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@revsci[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@specificclick[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@statcounter[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@tacoda[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@trafficmp[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@tribalfusion[2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@zedo[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@apmebf[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@doubleclick[1].txt
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@fastclick[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@247realmedia[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@adrevolver[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@advertising[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@apmebf[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@atdmt[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@atwola[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@bluestreak[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@burstnet[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@casalemedia[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@doubleclick[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@fastclick[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@hitbox[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@imrworldwide[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@insightexpressai[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@interclick[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@media6degrees[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@mediaplex[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@realmedia[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@revsci[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@specificclick[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@statcounter[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@tacoda[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@trafficmp[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@tribalfusion[2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\Low\stephen@zedo[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@apmebf[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@doubleclick[1].txt
C:\Users\Stephen\Application Data\Microsoft\Windows\Cookies\stephen@fastclick[1].txt
C:\Users\Stephen\Cookies\Low\stephen@247realmedia[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\stephen@adrevolver[2].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\stephen@advertising[2].txt
C:\Users\Stephen\Cookies\Low\stephen@apmebf[1].txt
C:\Users\Stephen\Cookies\Low\stephen@atdmt[2].txt
C:\Users\Stephen\Cookies\Low\stephen@atwola[1].txt
C:\Users\Stephen\Cookies\Low\stephen@bluestreak[2].txt
C:\Users\Stephen\Cookies\Low\stephen@burstnet[2].txt
C:\Users\Stephen\Cookies\Low\stephen@casalemedia[1].txt
C:\Users\Stephen\Cookies\Low\stephen@doubleclick[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\stephen@fastclick[1].txt
C:\Users\Stephen\Cookies\Low\stephen@hitbox[1].txt
C:\Users\Stephen\Cookies\Low\stephen@imrworldwide[2].txt
C:\Users\Stephen\Cookies\Low\stephen@insightexpressai[1].txt
C:\Users\Stephen\Cookies\Low\stephen@interclick[2].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\stephen@media6degrees[2].txt
C:\Users\Stephen\Cookies\Low\stephen@mediaplex[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\stephen@realmedia[1].txt
C:\Users\Stephen\Cookies\Low\stephen@revsci[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\[email protected][3].txt
C:\Users\Stephen\Cookies\Low\stephen@specificclick[2].txt
C:\Users\Stephen\Cookies\Low\stephen@statcounter[2].txt
C:\Users\Stephen\Cookies\Low\stephen@tacoda[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\stephen@trafficmp[1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\stephen@tribalfusion[2].txt
C:\Users\Stephen\Cookies\Low\[email protected][1].txt
C:\Users\Stephen\Cookies\Low\[email protected][2].txt
C:\Users\Stephen\Cookies\Low\stephen@zedo[1].txt
C:\Users\Stephen\Cookies\stephen@apmebf[1].txt
C:\Users\Stephen\Cookies\stephen@doubleclick[1].txt
C:\Users\Stephen\Cookies\stephen@fastclick[1].txt
H:\Documents and Settings\Stearns\Cookies\stearns@atdmt[2].txt

Pandascan Log

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-08 15:02:41
PROTECTIONS: 1
MALWARE: 23
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No H:\Documents and Settings\Stearns\Cookies\stearns@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\stephen@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@burstnet[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@realmedia[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@bluestreak[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@adrevolver[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\stephen@atwola[1].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
03194637 Adware/GoodSearchNow Adware Yes 2 Yes No H:\WINDOWS\system32\avwa.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 8
;===============================================================================
=================================================================================
===================
No C:\Program Files\mIRC\mirc.exe 8
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 8
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 8
176382 HIGH MS07-057 8
170907 HIGH MS07-046 8
170906 HIGH MS07-045 8
170904 HIGH MS07-043 8
164913 HIGH MS07-033 8
160623 HIGH MS07-027 8
150253 HIGH MS07-016 8
120815 HIGH MS06-022 8
;===============================================================================
=================================================================================
===================

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:14 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\PROGRA~1\AVG\AVG8\avgemc.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
H:\Program Files\Creative\Mixer\CTSVolFE.exe
H:\WINDOWS\stsystra.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gotfrag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {58AA813B-8CB8-4766-9601-81EFD7E16357} - H:\WINDOWS\system32\ddcDuSkk.dll (file missing)
O2 - BHO: (no name) - {669AC196-6F92-47FC-A943-576455675194} - H:\WINDOWS\system32\avwa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B5F3E58-C5ED-40F9-B446-3B49CC34DD36} - H:\WINDOWS\system32\avwa.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {E3B379EB-DE2F-443B-9DFD-A937E791E44D} - H:\WINDOWS\system32\avwa.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "H:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1211744901000
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ssqOHxWQ - ssqOHxWQ.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5673 bytes

Hijackthis Uninstall List Log

Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AVG Free 8.0
Battlefield 1942
Clue
Conexant D850 56K V.9x DFVc Modem
Dell ResourceCD
DesertCombat 0.7
DirectX Media Runtime 5.1
HijackThis 2.0.2
Hitman: Blood Money
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® PRO Network Connections Drivers
Java™ 6 Update 6
Linksys Wireless-G PCI Adapter
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
NVIDIA Drivers
Panda ActiveScan 2.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Wi

#2
Essexboy

Posted 08 July 2008 - 02:14 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there let me see if I can assist

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {58AA813B-8CB8-4766-9601-81EFD7E16357} - H:\WINDOWS\system32\ddcDuSkk.dll (file missing)
O2 - BHO: (no name) - {669AC196-6F92-47FC-A943-576455675194} - H:\WINDOWS\system32\avwa.dll
O2 - BHO: (no name) - {7B5F3E58-C5ED-40F9-B446-3B49CC34DD36} - H:\WINDOWS\system32\avwa.dll
O2 - BHO: (no name) - {E3B379EB-DE2F-443B-9DFD-A937E791E44D} - H:\WINDOWS\system32\avwa.dll
O20 - Winlogon Notify: ssqOHxWQ - ssqOHxWQ.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
H:\WINDOWS\system32\ddcDuSkk.dll 
H:\WINDOWS\system32\avwa.dll
Purity
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
Navy Seal

Posted 09 July 2008 - 01:42 PM

Member

Topic Starter
Member
119 posts

Hey i did all the scans and have the logs listed below! i didnt know if you needed another hijackthis log, but i added one in this reply just in case!

Oldtimer log

File/Folder H:\WINDOWS\system32\ddcDuSkk.dll not found.
File/Folder H:\WINDOWS\system32\avwa.dll not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_153338

DDS logs

main log

Deckard's System Scanner v20071014.68
Run by Stearns on 2008-07-09 15:34:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
92: 2008-07-09 19:34:53 UTC - RP215 - Deckard's System Scanner Restore Point
91: 2008-06-08 22:42:44 UTC - RP214 - System Checkpoint
90: 2008-06-07 21:44:09 UTC - RP213 - Installed SUPERAntiSpyware Free Edition
89: 2008-06-07 21:38:45 UTC - RP212 - Geekstogo Restore Point
88: 2008-06-06 22:35:46 UTC - RP211 - System Checkpoint

-- First Restore Point --
1: 2008-06-30 09:50:01 UTC - RP124 - Installed Windows XP KB917422.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Stearns.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:11 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\PROGRA~1\AVG\AVG8\avgemc.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
H:\Program Files\Creative\Mixer\CTSVolFE.exe
H:\WINDOWS\stsystra.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\notepad.exe
H:\Documents and Settings\Stearns\Desktop\dss.exe
H:\PROGRA~1\TRENDM~1\HIJACK~1\Stearns.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gotfrag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "H:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1211744901000
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5141 bytes

-- HijackThis Fixed Entries (H:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080709-153210-212 O2 - BHO: (no name) - {7B5F3E58-C5ED-40F9-B446-3B49CC34DD36} - H:\WINDOWS\system32\avwa.dll
backup-20080709-153210-869 O2 - BHO: (no name) - {669AC196-6F92-47FC-A943-576455675194} - H:\WINDOWS\system32\avwa.dll
backup-20080709-153210-916 O2 - BHO: (no name) - {E3B379EB-DE2F-443B-9DFD-A937E791E44D} - H:\WINDOWS\system32\avwa.dll
backup-20080709-153210-951 O2 - BHO: (no name) - {58AA813B-8CB8-4766-9601-81EFD7E16357} - H:\WINDOWS\system32\ddcDuSkk.dll (file missing)
backup-20080709-153211-306 O20 - Winlogon Notify: ssqOHxWQ - ssqOHxWQ.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - h:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - h:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - h:\program files\superantispyware\saskutil.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - h:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SASENUM - h:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S2 PfModNT - h:\windows\system32\pfmodnt.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Sound Blaster 16 or AWE32 or compatible (WDM)
Device ID: ROOT\MEDIA\0000
Manufacturer: Creative Technology Ltd.
Name: Sound Blaster 16 or AWE32 or compatible (WDM)
PNP Device ID: ROOT\MEDIA\0000
Service: ctlsb16

-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 08:26:00 284 --a------ H:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-09 15:28:50 0 d-------- H:\WINDOWS\Sun
2008-07-09 15:28:50 0 d-------- H:\Documents and Settings\Stearns\Application Data\Sun
2008-06-30 05:49:51 229678 --ahs---- H:\WINDOWS\system32\kkSuDcdd.ini2
2008-06-28 19:24:02 0 d-------- H:\Documents and Settings\Stearns\Application Data\LimeWire

-- Find3M Report ---------------------------------------------------------------

2008-07-09 15:30:21 0 d-------- H:\Documents and Settings\Stearns\Application Data\mIRC
2008-06-30 18:17:28 0 d-------- H:\Documents and Settings\Stearns\Application Data\Ventrilo
2008-06-10 11:47:26 0 d-------- H:\Documents and Settings\Stearns\Application Data\teamspeak2
2008-06-08 22:31:30 13132 --ah----- H:\WINDOWS\system32\mlfcache.dat
2008-06-08 22:04:57 0 d-------- H:\Documents and Settings\Stearns\Application Data\Adobe
2008-06-08 22:02:23 0 d-------- H:\Program Files\Common Files\Adobe
2008-06-08 20:39:40 0 d-------- H:\Program Files\Xpress Mail
2008-06-08 16:49:47 0 d-------- H:\Program Files\SUPERAntiSpyware
2008-06-08 15:18:59 0 d-------- H:\Program Files\Trend Micro
2008-06-07 19:03:12 0 d-------- H:\Program Files\Bonjour
2008-06-07 19:02:12 0 d-------- H:\Program Files\QuickTime
2008-06-07 19:02:12 0 d-------- H:\Program Files\Apple Software Update
2008-06-07 19:02:09 0 d-------- H:\Program Files\iTunes
2008-06-07 19:01:59 0 d-------- H:\Program Files\Dl_cats
2008-06-07 19:01:59 0 d-------- H:\Program Files\Dell AIO Printer 946
2008-06-07 19:01:57 0 d-------- H:\Program Files\Dell Fax Solutions
2008-06-07 19:01:56 0 d-------- H:\Program Files\Abbyy FineReader 6.0 Sprint
2008-06-07 18:25:20 0 d-------- H:\Program Files\Panda Security
2008-06-07 17:51:50 0 --a------ H:\WINDOWS\YOURAPP.EXE
2008-06-07 17:51:48 0 --a------ H:\WINDOWS\system32\CMMGR32.EXE
2008-06-07 17:44:10 0 d-------- H:\Documents and Settings\Stearns\Application Data\SUPERAntiSpyware.com
2008-06-07 17:43:59 0 d-------- H:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 17:40:29 0 d-------- H:\Documents and Settings\Stearns\Application Data\Malwarebytes
2008-06-07 17:40:28 0 d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 17:40:13 0 d-------- H:\Program Files\Common Files
2008-06-07 17:40:13 0 d-------- H:\Program Files\Common Files\Download Manager
2008-06-05 16:09:33 0 d-------- H:\Documents and Settings\Stearns\Application Data\DellFaxCtr
2008-06-05 13:23:30 0 d-------- H:\Program Files\Jasc Software Inc
2008-06-05 13:22:47 0 d-------- H:\Program Files\Common Files\InstallShield
2008-06-05 13:22:17 0 d--h----- H:\Program Files\InstallShield Installation Information
2008-06-04 20:10:57 0 d-------- H:\Documents and Settings\Stearns\Application Data\Apple Computer
2008-06-04 20:10:45 0 d-------- H:\Program Files\iPod
2008-06-04 20:09:38 0 d-------- H:\Program Files\Common Files\Apple
2008-06-04 19:56:53 0 d-------- H:\Documents and Settings\Stearns\Application Data\Ruckus Network
2008-06-02 01:19:59 98304 --a------ H:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-06-01 19:57:48 0 d-------- H:\Program Files\Hasbro Interactive
2008-06-01 19:53:03 0 d-------- H:\Program Files\WarZone
2008-06-01 19:52:47 0 d-------- H:\Documents and Settings\Stearns\Application Data\WarZone
2008-06-01 19:50:34 0 d-------- H:\Program Files\XMPChat
2008-06-01 16:48:14 0 d-------- H:\Program Files\Logitech
2008-06-01 16:46:51 0 d-------- H:\Documents and Settings\Stearns\Application Data\Xfire
2008-06-01 16:46:49 0 d-------- H:\Program Files\Common Files\Logitech
2008-05-28 13:38:41 0 --a------ H:\WINDOWS\nsreg.dat
2008-05-28 13:38:37 0 d-------- H:\Documents and Settings\Stearns\Application Data\Mozilla
2008-05-27 21:02:35 0 d-------- H:\Documents and Settings\Stearns\Application Data\Uniblue
2008-05-27 20:59:47 0 d-------- H:\Program Files\Common Files\Creative Labs Shared
2008-05-26 19:44:32 0 d-------- H:\Program Files\Lavasoft
2008-05-26 19:32:27 729088 --a------ H:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-05-26 19:28:10 528 --a------ H:\WINDOWS\eReg.dat
2008-05-26 19:27:30 0 d-------- H:\Program Files\Messenger
2008-05-26 19:25:24 0 d-------- H:\Documents and Settings\Stearns\Application Data\AVGTOOLBAR
2008-05-26 19:23:46 0 d-------- H:\Program Files\EA GAMES
2008-05-26 19:16:25 0 d-------- H:\Program Files\AVG
2008-05-26 15:47:03 0 d-------- H:\Program Files\SigmaTel
2008-05-26 15:40:35 0 d-------- H:\Program Files\Hewlett-Packard
2008-05-26 15:38:55 0 d-------- H:\Program Files\Windows Media Connect 2
2008-05-26 14:55:57 0 d-------- H:\Program Files\Creative
2008-05-26 04:12:25 0 d-------- H:\Program Files\Symantec
2008-05-26 04:12:25 0 d-------- H:\Program Files\Common Files\Symantec Shared
2008-05-26 04:03:13 0 d-------- H:\Program Files\Movie Maker
2008-05-26 04:02:18 0 d-------- H:\Program Files\Windows NT
2008-05-25 23:20:07 0 d-------- H:\Program Files\directx
2008-05-25 23:16:19 0 d-------- H:\Program Files\CONEXANT
2008-05-25 23:13:47 0 d-------- H:\Program Files\Java
2008-05-25 23:13:07 0 d-------- H:\Program Files\Common Files\Java
2008-05-25 23:11:32 0 d-------- H:\Documents and Settings\Stearns\Application Data\Macromedia
2008-05-25 22:47:59 0 d-------- H:\Program Files\PROnetworks
2008-05-25 22:33:59 0 d-------- H:\Program Files\Intel
2008-05-25 22:31:49 0 d-------- H:\Program Files\Dell
2008-05-25 15:34:40 0 d-------- H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-05-25 14:57:49 7 --a------ H:\WINDOWS\system32\ANIWZCSUSERNAME
2008-05-25 14:00:11 0 d-------- H:\Documents and Settings\Stearns\Application Data\Identities
2008-05-25 10:37:17 0 d-------- H:\Program Files\microsoft frontpage
2008-05-25 10:34:27 0 d-------- H:\Program Files\Common Files\MSSoap
2008-05-25 10:34:12 21640 --a------ H:\WINDOWS\system32\emptyregdb.dat
2008-05-25 10:34:00 0 d--h----- H:\Program Files\WindowsUpdate
2008-05-25 10:34:00 0 d-------- H:\Program Files\Online Services
2008-05-25 10:33:54 0 d-------- H:\Program Files\MSN Gaming Zone
2008-05-25 06:24:44 0 d-------- H:\Program Files\Common Files\ODBC
2008-05-25 06:24:42 0 d-------- H:\Program Files\Common Files\SpeechEngines
2008-05-25 06:24:23 62 --ahs---- H:\Documents and Settings\Stearns\Application Data\desktop.ini
2008-05-02 22:46:00 1630208 --a------ H:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ H:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ H:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ H:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ H:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ H:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ H:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ H:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/04/2008 05:50 PM 2055960 --a------ H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/04/2008 05:50 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="H:\WINDOWS\System32\NvCpl.dll" [06/01/2007 05:19 PM]
"nwiz"="nwiz.exe" [05/02/2008 10:46 PM H:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="H:\WINDOWS\System32\NvMcTray.dll" [06/01/2007 05:19 PM]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"CTSVolFE.exe"="H:\Program Files\Creative\Mixer\CTSVolFE.exe" [02/23/2005 03:57 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/20/2006 04:00 PM H:\WINDOWS\stsystra.exe]
"AVG8_TRAY"="H:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/04/2008 05:50 PM]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 H:\WINDOWS\system32\ddcDuSkk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - GTNDIS5
*Newly Created Service* - SASDIFSV

-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8516 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-07-09 15:35:40 ------------

extra log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6700 @ 2.66GHz
CPU 1: Intel® Core™2 CPU 6700 @ 2.66GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2045.87 MiB / 1456.3 MiB
Pagefile Memory (total/avail): 3939.01 MiB / 3529.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.33 MiB

C: is Fixed (NTFS) - 256.31 GiB total, 169.09 GiB free.
D: is Removable (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Fixed (NTFS) - 31.73 GiB total, 21.21 GiB free.
I: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 256.31 GiB - C:
\PARTITION2 - Installable File System - 31.73 GiB - H:

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"H:\\Program Files\\AVG\\AVG8\\avgupd.exe"="H:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"H:\\Program Files\\AVG\\AVG8\\avgemc.exe"="H:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Steam\\steamapps\\kung48fu\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\kung48fu\\counter-strike\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"H:\\Program Files\\XMPChat\\XMPChat Client.exe"="H:\\Program Files\\XMPChat\\XMPChat Client.exe:*:Enabled:XMPChat Client"
"H:\\Program Files\\Internet Explorer\\iexplore.exe"="H:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"H:\\Program Files\\Xpress Mail\\Professional Editon\\XpressMailDesktopClient.exe"="H:\\Program Files\\Xpress Mail\\Professional Editon\\XpressMailDesktopClient.exe:*:Enabled:XpressMailDesktopClient"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"H:\\Program Files\\Messenger\\msmsgs.exe"="H:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=H:\Documents and Settings\All Users
APPDATA=H:\Documents and Settings\Stearns\Application Data
CLIENTNAME=Console
CommonProgramFiles=H:\Program Files\Common Files
COMPUTERNAME=STEPHEN
ComSpec=H:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\Documents and Settings\Stearns
LOGONSERVER=\\STEPHEN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=H:\Program Files\Internet Explorer;;H:\WINDOWS\system32;H:\WINDOWS;H:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=H:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=H:
SystemRoot=H:\WINDOWS
TEMP=H:\DOCUME~1\Stearns\LOCALS~1\Temp
TMP=H:\DOCUME~1\Stearns\LOCALS~1\Temp
USERDOMAIN=STEPHEN
USERNAME=Stearns
USERPROFILE=H:\Documents and Settings\Stearns
windir=H:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Stearns (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7E9BE6D1-680B-49B2-A2B0-CBC32D20DF04}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7E9BE6D1-680B-49B2-A2B0-CBC32D20DF04}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{AA2CA846-C6DB-4468-B291-18D4BA359656}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{AA2CA846-C6DB-4468-B291-18D4BA359656}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 H:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> H:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> H:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AVG Free 8.0 --> H:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Battlefield 1942 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Clue --> H:\WINDOWS\IsUninst.exe -f"H:\Program Files\Hasbro Interactive\Clue\Uninst.isu"
Conexant D850 56K V.9x DFVc Modem --> H:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell ResourceCD --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DesertCombat 0.7 --> H:\WINDOWS\iun6002.exe "H:\Program Files\EA GAMES\Battlefield 1942\DesertCombat.ini"
DirectX Media Runtime 5.1 --> RunDll32 advpack.dll,LaunchINFSection H:\WINDOWS\INF\DXM51.INF,Uninstall.NT
HijackThis 2.0.2 --> "H:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hitman: Blood Money --> "C:\Program Files\Steam\steam.exe" steam://uninstall/6860
Hotfix for Windows Media Format 11 SDK (KB929399) --> "H:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers --> Prounstl.exe
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Linksys Wireless-G PCI Adapter --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveUpdate 3.2 (Symantec Corporation) --> "H:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "H:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "H:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "H:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
NVIDIA Drivers --> H:\WINDOWS\System32\nvudisp.exe UninstallGUI
Panda ActiveScan 2.0 --> H:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
SigmaTel Audio --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VistaBootPRO 3.3 --> MsiExec.exe /I{6C9FA746-8759-4040-A436-42922CB3492E}
WarZone Client v1.0.41 --> H:\PROGRA~1\WarZone\UNWISE.EXE H:\PROGRA~1\WarZone\INSTALL.LOG
Windows Media Format 11 runtime --> "H:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Xpress Mail Professional Edition --> "H:\Program Files\Xpress Mail\Professional Editon\Uninstall.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type463 / Error
Event Submitted/Written: 06/09/2008 03:14:39 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 686628912.

Event Record #/Type462 / Error
Event Submitted/Written: 06/09/2008 03:14:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2835 / Warning
Event Submitted/Written: 06/09/2008 06:00:03 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

-- End of Deckard's System Scanner: finished at 2008-07-09 15:35:40 ------------

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:57 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\PROGRA~1\AVG\AVG8\avgemc.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
H:\Program Files\Creative\Mixer\CTSVolFE.exe
H:\WINDOWS\stsystra.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gotfrag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "H:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1211744901000
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5070 bytes

#4
Essexboy

Posted 09 July 2008 - 02:01 PM

GeekU Moderator

Retired Staff
69,964 posts

OK I can now see what the sneaky blighter has done so lets fix it

Download and run ERUNT http://www.larsheder...nline.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

THEN

Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
H:\WINDOWS\system32\kkSuDcdd.ini2
H:\WINDOWS\system32\ddcDuSkk
Purity
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - BotCheck
- File - Additional Folder Scans
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5
Navy Seal

Posted 09 July 2008 - 02:32 PM

Member

Topic Starter
Member
119 posts

hey again! got all the logs you requested below.

Oldtimer log

H:\WINDOWS\system32\kkSuDcdd.ini2 moved successfully.
File/Folder H:\WINDOWS\system32\ddcDuSkk not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_162658

Otscanit log (sent in an attachment)

Attached Files

OTScanIt.Txt 378.36KB 98 downloads

Edited by Navy Seal, 09 July 2008 - 02:35 PM.

#6
Essexboy

Posted 09 July 2008 - 02:54 PM

GeekU Moderator

Retired Staff
69,964 posts

A few smidgeons to take out, but it looks good

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 90 days]
NY -> ixduettv.ini -> %SystemRoot%\System32\ixduettv.ini
NY -> kkSuDcdd.ini -> %SystemRoot%\System32\kkSuDcdd.ini
NY -> qknjdpqy.ini -> %SystemRoot%\System32\qknjdpqy.ini
NY -> xyeeowrd.ini -> %SystemRoot%\System32\xyeeowrd.ini
[Files/Folders - Modified Within 90 days]
NY -> dqocowwu.ini -> %SystemRoot%\System32\dqocowwu.ini
NY -> ixduettv.ini -> %SystemRoot%\System32\ixduettv.ini
NY -> kkSuDcdd.ini -> %SystemRoot%\System32\kkSuDcdd.ini
NY -> qknjdpqy.ini -> %SystemRoot%\System32\qknjdpqy.ini
NY -> xyeeowrd.ini -> %SystemRoot%\System32\xyeeowrd.ini
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I see you have MBAM so I will now run that to clear orphans

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTScanit report, MBAM log and a new Hijackthis log Plus how is your computer now ?

#7
Navy Seal

Posted 09 July 2008 - 03:22 PM

Member

Topic Starter
Member
119 posts

got all the logs without a problem. my computer is running pretty good. haven't run into any major problems as of late. no popups have come up, or websites with alerts that a trojan or virus might have infected my system. is everything pretty much cleaned up?

Otscanit log

[Files/Folders - Created Within 90 days]
H:\WINDOWS\System32\ixduettv.ini moved successfully.
H:\WINDOWS\System32\kkSuDcdd.ini moved successfully.
H:\WINDOWS\System32\qknjdpqy.ini moved successfully.
H:\WINDOWS\System32\xyeeowrd.ini moved successfully.
[Files/Folders - Modified Within 90 days]
H:\WINDOWS\System32\dqocowwu.ini moved successfully.
File H:\WINDOWS\System32\ixduettv.ini not found!
File H:\WINDOWS\System32\kkSuDcdd.ini not found!
File H:\WINDOWS\System32\qknjdpqy.ini not found!
File H:\WINDOWS\System32\xyeeowrd.ini not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.1 fix logfile created on 07092008_171314

Files moved on Reboot...
File move failed. H:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Malwarebytes log

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

5:20:59 PM 7/9/2008
mbam-log-7-9-2008 (17-20-59).txt

Scan type: Quick Scan
Objects scanned: 38491
Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:54 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\PROGRA~1\AVG\AVG8\avgemc.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
H:\Program Files\Creative\Mixer\CTSVolFE.exe
H:\WINDOWS\stsystra.exe
H:\PROGRA~1\AVG\AVG8\avgtray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gotfrag.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - H:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "H:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = H:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1211744901000
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - H:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5144 bytes

#8
Essexboy

Posted 09 July 2008 - 03:25 PM

GeekU Moderator

Retired Staff
69,964 posts

Nicely done, MBAM cleared the orphans so............................

Now the best part of the day ----- Your log now appears clean

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

#9
Navy Seal

Posted 09 July 2008 - 03:39 PM

Member

Topic Starter
Member
119 posts

hey i did the last steps and i think they all went through pretty good. the otscanit didnt give me a log, and when i first did the cleanup, in the past box it said that the deletion was a failure. but then i had to reboot to remove it so i did that. still didnt get a log.

thanks for all your help and for being very quick in replying to my posts. i appreciate it greatly thank you!

#10
Essexboy

Posted 09 July 2008 - 03:43 PM

GeekU Moderator

Retired Staff
69,964 posts

If need be just delete it manually

#11
Essexboy

Posted 09 July 2008 - 03:43 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.