Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown virus but I have random websites popping up. [CLOSED]

Started by basstwo , Jul 15 2008 01:07 AM

  • This topic is locked This topic is locked

#16
basstwo
Posted 24 July 2008 - 08:03 AM

basstwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I used Unlocker and got rid of them.

I just did a full scan with MalwareBytes and no problems.
  • 0

Advertisements

#17
Ltangelic
Posted 24 July 2008 - 10:06 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey basstwo,

Your logs look much better now. :) Let's use OTMoveIt2 to see if we can rid those files.

1) Use OTMoveIt2 to remove bad files

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\drivers\hidclasss.sys 
C:\WINDOWS\system32\drivers\core.cache.dsk 
purity
emptytemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2) Update Adobe Reader

Please uninstall the current version of Adobe you have and go here to install the latest version.

3) Get a new DSS log

Finally, click on Start, click on Run.
Copy and paste the following in bold in the open window and then click OK.
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration.
Click on Check All.
Click Scan.
DSS will now run again when finished.
Please post back both logs that open in notepad.
Main txt and extra txt

Next reply (please include):

Fresh HijackThis log
DSS log
OTMoveIt2 log
  • 0

#18
basstwo
Posted 26 July 2008 - 08:04 AM

basstwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:02 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Flipper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6906 bytes


Deckard's System Scanner v20071014.68
Run by Erik on 2008-07-26 06:58:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-26 13:58:53 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Erik.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:19 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Erik\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Erik.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6941 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080719-085606-270 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080719-085606-828 O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
backup-20080719-085606-937 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080720-084341-323 O20 - Winlogon Notify: qoMdEWno - qoMdEWno.dll (file missing)
backup-20080720-084341-429 O2 - BHO: {ff331ba8-1373-4e4a-3194-00dca43771a5} - {5a17734a-cd00-4913-a4e4-37318ab133ff} - C:\WINDOWS\system32\cmdrha.dll (file missing)
backup-20080720-084341-461 O4 - HKLM\..\Run: [BMaba16596] Rundll32.exe "C:\WINDOWS\system32\jvoicadx.dll",s
backup-20080720-084341-596 O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
backup-20080720-084341-638 O4 - HKLM\..\Run: [{25-56-6A-A5-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
backup-20080720-084341-649 O2 - BHO: (no name) - {4F96CCB9-01EC-419E-AAEA-C2C913F2A236} - C:\WINDOWS\system32\qoMdEWno.dll (file missing)
backup-20080720-084341-728 O4 - HKLM\..\Run: [a892560a] rundll32.exe "C:\WINDOWS\system32\xcbyyqhk.dll",b
backup-20080720-084341-732 O2 - BHO: (no name) - {4E00DC0B-4B10-4359-B9AE-E82CF31136FC} - C:\WINDOWS\system32\pmnkJdca.dll (file missing)
backup-20080720-084341-824 O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
backup-20080720-084341-927 O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 hidclasss - c:\windows\system32\drivers\hidclasss.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_50041458&REV_02\4&3AB31F7F&0&3AF0
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_50041458&REV_02\4&3AB31F7F&0&3AF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\WEC0519\4&12F3D326&0
Manufacturer:
Name:
PNP Device ID: ACPI\WEC0519\4&12F3D326&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\WEC0515\4&12F3D326&0
Manufacturer:
Name:
PNP Device ID: ACPI\WEC0515\4&12F3D326&0
Service:

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ACPI\PNPA000\4&5D18F2DF&0
Manufacturer: (Standard mass storage controllers)
Name: SCSI/RAID Host Controller
PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
Service: af57bw4r


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1808)
2008-05-01 21:15:35 4608 --a------ C:\Program Files\Unlocker\UnlockerHook.dll
2006-11-14 13:03:30 335872 --a------ C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2006-11-22 14:31:08 98304 --a------ C:\Program Files\OpenOffice.org 2.1\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2006-10-27 10:42:12 577536 --a------ C:\Program Files\OpenOffice.org 2.1\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>
2008-05-01 21:15:37 10240 --a------ C:\Program Files\Unlocker\UnlockerCOM.dll
2006-12-03 15:53:06 126464 --a------ C:\Program Files\WinRAR\RarExt.dll
2003-10-30 06:59:02 49152 --a------ F:\Program Files\TextPad 4\system\shellext.dll <Not Verified; Helios Software Solutions; TextPad Add-On>
2008-01-23 19:08:37 69889 --a------ C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll <Not Verified; Avira GmbH; AntiVir Workstation>
2007-07-27 14:58:17 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

C:\WINDOWS\system32\svchost.exe (pid 388)
2004-11-02 21:19:48 120832 --a------ C:\WINDOWS\system32\BrWia04b.dll <Not Verified; Brother Industries, Ltd.; Brother Industries, Ltd.>
2004-11-18 15:32:44 52224 --a------ C:\WINDOWS\system32\BrNetSti.dll <Not Verified; Brother Industries, Ltd.; Brother Industries, Ltd.>
2002-11-26 13:43:18 106496 --a------ C:\WINDOWS\system32\BrMuSNMP.dll

C:\WINDOWS\system32\rundll32.exe (pid 1040)
2008-05-01 21:15:35 4608 --a------ C:\Program Files\Unlocker\UnlockerHook.dll


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 06:57:23 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-26 06:51:20 0 d-------- C:\Documents and Settings\Erik\My Documents
2008-07-23 18:52:42 0 d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-07-23 08:41:40 0 d-------- C:\Documents and Settings\Erik\Application Data\Malwarebytes
2008-07-23 08:41:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-23 08:41:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 21:46:25 346112 -ra------ C:\WINDOWS\system\QTIM32.DLL <Not Verified; Apple Computer, Inc.; QuickTime for Windows>
2008-07-22 20:36:26 0 d-------- C:\Program Files\Myst
2008-07-22 19:39:28 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8
2008-07-21 16:54:48 12800 --a------ C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-07-21 09:14:36 0 d--h----- C:\$AVG8.VAULT$
2008-07-21 09:07:36 0 d-------- C:\Program Files\AVG
2008-07-18 20:05:54 0 d-------- C:\VundoFix Backups
2008-07-18 19:53:36 0 d-------- C:\Program Files\Avira
2008-07-18 19:53:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira


-- Find3M Report ---------------------------------------------------------------

2008-07-26 06:57:23 0 d-------- C:\Program Files\Common Files
2008-07-26 06:56:38 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-25 20:22:30 4939 --a------ C:\Documents and Settings\Erik\Application Data\.googlewebacchosts
2008-07-22 22:02:58 0 d-------- C:\Program Files\QuickTime
2008-07-22 22:01:36 0 d-------- C:\Program Files\Apple Software Update
2008-07-22 21:38:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-22 21:38:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 19:46:42 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2004 10:00 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 01:22 PM]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/01/2008 09:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 08:58 PM]
"Steam"="f:\program files\steam\steam.exe" [04/06/2008 08:25 PM]
"Toggler"="F:\Program Files\togglr10\toggler.exe" [01/20/2001 10:01 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=F:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 10:24:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb83f91-8e44-11db-b1b5-0020ed21c526}]
AutoRun\command- G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe




-- End of Deckard's System Scanner: finished at 2008-07-26 07:00:30 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1023.48 MiB / 624.96 MiB
Pagefile Memory (total/avail): 2461.8 MiB / 2102.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1905.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.31 GiB total, 2.07 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Fixed (NTFS) - 37.26 GiB total, 8.36 GiB free.

\\.\PHYSICALDRIVE0 - ST310212A - 9.32 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.31 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD400EB-00CPF0 - 37.27 GiB - 1 partition
\PARTITION0 - Installable File System - 37.26 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AntivirusOverride is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe"="F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life blue shift\\hl.exe"="F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life blue shift\\hl.exe:*:Enabled:Half-Life Launcher"
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\opposing force\\hl.exe"="F:\\Program Files\\Steam\\steamapps\\[email protected]\\opposing force\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Easy RM to MP3 Converter\\RM2MP3Converter.exe"="C:\\Program Files\\Easy RM to MP3 Converter\\RM2MP3Converter.exe:*:Enabled:Mini-stream RM-MP3 Converter"
"C:\\Program Files\\Mini-stream\\Mini-stream Ripper\\Ripper.exe"="C:\\Program Files\\Mini-stream\\Mini-stream Ripper\\Ripper.exe:*:Enabled:Mini-stream Ripper"
"F:\\Program Files\\Tremulous\\tremulous.exe"="F:\\Program Files\\Tremulous\\tremulous.exe:*:Enabled:tremulous"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Program Files\\Steam\\steam.exe"="F:\\Program Files\\Steam\\steam.exe:*:Enabled:Steam"
"F:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="F:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"F:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"="F:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"F:\\Program Files\\Creative Memories\\Memory Manager\\Memories2.exe"="F:\\Program Files\\Creative Memories\\Memory Manager\\Memories2.exe:*:Enabled:Memory Manager 2"
"F:\\Program Files\\iTunes\\iTunes.exe"="F:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"F:\\Program Files\\Mini-stream\\Mini-stream RM-MP3 Converter\\RM2MP3Converter.exe"="F:\\Program Files\\Mini-stream\\Mini-stream RM-MP3 Converter\\RM2MP3Converter.exe:*:Enabled:Mini-stream RM-MP3 Converter"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Erik\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SARLACC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Erik
LOGONSERVER=\\SARLACC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Erik\LOCALS~1\Temp
TMP=C:\DOCUME~1\Erik\LOCALS~1\Temp
USERDOMAIN=SARLACC
USERNAME=Erik
USERPROFILE=C:\Documents and Settings\Erik
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Erik (admin)
Amy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com --> MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Amazing Adventures: The Lost Tomb Demo --> "F:\Program Files\Steam\steam.exe" steam://uninstall/3512
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AstroPop Deluxe Demo --> "F:\Program Files\Steam\steam.exe" steam://uninstall/3342
ATMA V 5.05 --> F:\PROGRA~1\ATMAV~1\Setup.exe /remove
Audiosurf Demo --> "F:\Program Files\Steam\steam.exe" steam://uninstall/12910
AVI Movie Player --> F:\Program Files\AVI Movie Player\uninstall.exe
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Backup To Email 1.4.3 build 24 --> "F:\Program Files\Emailer\unins000.exe"
Bejeweled 2 Deluxe Demo --> "F:\Program Files\Steam\steam.exe" steam://uninstall/3302
Bookworm Adventures Deluxe Demo --> "F:\Program Files\Steam\steam.exe" steam://uninstall/3472
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Creative Memories Memory Manager 2 --> MsiExec.exe /I{0F1A3568-7419-4115-A207-512B9F688267}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EKS Sherlock 5.0 --> F:\EKS\Sherlock\unsetup.exe
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Video Player --> "F:\Program Files\Google\Google Video Player\Uninstall.exe"
Google Video Uploader --> "F:\Program Files\Google Video\Uninstall.exe"
Google Web Accelerator --> MsiExec.exe /X{6A1975EB-27E6-491D-94BC-6355FA25F40F}
Half-Life 2 --> "F:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "F:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "F:\Program Files\Steam\steam.exe" steam://uninstall/420
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "F:\Program Files\Hero Editor\ST6UNST.LOG"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Memory Manager Shared Components Update --> MsiExec.exe /I{855544EF-FF9E-4BB0-9CCF-B9D930FE6FFD}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MimarSinan CompreXX --> "C:\Documents and Settings\Erik\Application Data\{0A3EDBAE-2B00-4FD1-B634-A472E0AB8AE7}\comprexx.exe" REMOVE=TRUE MODIFY=FALSE
Mini-stream Ripper 2.7.4.100 2006.10.16 --> "C:\Program Files\Mini-stream\Mini-stream Ripper\unins000.exe"
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Myst for Windows 95 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Myst\DeIsL1.isu"
Natural Selection 3.2 --> "f:\program files\steam\steamapps\[email protected]\half-life\unins000.exe"
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Peggle Extreme --> "F:\Program Files\Steam\steam.exe" steam://uninstall/3483
Picasa 2 --> "F:\Program Files\Picasa2\Uninstall.exe"
Portal --> "F:\Program Files\Steam\steam.exe" steam://uninstall/400
Quest3D Viewers 3.0e --> "F:\Program Files\Act-3D\Quest3D Viewers 3.0e\unins000.exe"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
QuickTime for Windows (32-bit) --> C:\WINDOWS\QTW32DEL.EXE
Real Alternative 1.7.5 --> "F:\Program Files\Real Alternative\unins000.exe"
Steam --> F:\PROGRA~1\Steam\UNWISE.EXE F:\PROGRA~1\Steam\INSTALL.LOG
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Twins video to iPod-Zune-PSP-3GP 1.0 --> "F:\Program Files\Twins Software\Twins video to iPod-Zune-PSP-3GP\unins000.exe"
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1171 / Error
Event Submitted/Written: 07/26/2008 06:50:21 AM
Event ID/Source: 4118 / Avira AntiVir
Event Description:
F:\Program Files\Steam\steamapps\common\astropop deluxe\WinAP.exeACCESS_VIOLATION20534155

Event Record #/Type1170 / Error
Event Submitted/Written: 07/26/2008 06:48:21 AM
Event ID/Source: 4118 / Avira AntiVir
Event Description:
C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xmlUNKNOWN20533248

Event Record #/Type1166 / Warning
Event Submitted/Written: 07/26/2008 06:44:06 AM
Event ID/Source: 866 / Software Restriction Policies
Event Description:
Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by location with policy rule {fc768d98-109c-4ac5-8e23-76e7576365bc} placed on path C:\Program Files\Internet Explorer\iexplore.exe

Event Record #/Type1165 / Warning
Event Submitted/Written: 07/26/2008 06:43:06 AM
Event ID/Source: 866 / Software Restriction Policies
Event Description:
Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by location with policy rule {fc768d98-109c-4ac5-8e23-76e7576365bc} placed on path C:\Program Files\Internet Explorer\iexplore.exe

Event Record #/Type1164 / Error
Event Submitted/Written: 07/26/2008 06:43:00 AM
Event ID/Source: 4118 / Avira AntiVir
Event Description:
C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xmlUNKNOWN20533248



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type483 / Error
Event Submitted/Written: 07/26/2008 06:50:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type458 / Error
Event Submitted/Written: 07/26/2008 06:44:06 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%1260"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type457 / Error
Event Submitted/Written: 07/26/2008 06:43:06 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%1260"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type456 / Warning
Event Submitted/Written: 07/24/2008 10:16:19 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type455 / Error
Event Submitted/Written: 07/24/2008 07:03:07 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%1260"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding



-- End of Deckard's System Scanner: finished at 2008-07-26 07:00:30 ------------


Explorer killed successfully
File/Folder C:\WINDOWS\system32\drivers\hidclasss.sys not found.
File/Folder C:\WINDOWS\system32\drivers\core.cache.dsk not found.
< purity >
< emptytemp >
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\googlewebaccclient.exe.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccelerator.pac scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAcceleratorCache scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccWarden.exe.log scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07262008_064439

Files moved on Reboot...
C:\DOCUME~1\Erik\LOCALS~1\Temp\googlewebaccclient.exe.log moved successfully.
File C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccelerator.pac not found!
C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAcceleratorCache moved successfully.
C:\DOCUME~1\Erik\LOCALS~1\Temp\GoogleWebAccWarden.exe.log moved successfully.
  • 0

#19
Ltangelic
Posted 29 July 2008 - 06:02 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey basstwo,

Very sorry for the delay, I was pretty busy the past few days.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#20
basstwo
Posted 29 July 2008 - 06:27 PM

basstwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-07-29.1 - Erik 2008-07-29 17:18:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\Erik\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Amy\Application Data\macromedia\Flash Player\#SharedObjects\962MDJN8\interclick.com
C:\Documents and Settings\Amy\Application Data\macromedia\Flash Player\#SharedObjects\962MDJN8\interclick.com\ud.sol
C:\Documents and Settings\Amy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Amy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Need2Find
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bcmwyxli.ini
C:\WINDOWS\system32\bkokfohn.ini
C:\WINDOWS\system32\brelegoe.ini
C:\WINDOWS\system32\djlxqbog.ini
C:\WINDOWS\system32\dvvxskmn.ini
C:\WINDOWS\system32\eflkdwnm.ini
C:\WINDOWS\system32\exaxsrcl.ini
C:\WINDOWS\system32\fjeovmig.ini
C:\WINDOWS\system32\fnutoxmg.ini
C:\WINDOWS\system32\fwavabkt.ini
C:\WINDOWS\system32\fwimarye.ini
C:\WINDOWS\system32\gimbitmk.ini
C:\WINDOWS\system32\hutsxnuf.ini
C:\WINDOWS\system32\hxbkwggs.ini
C:\WINDOWS\system32\ibhfcvcl.ini
C:\WINDOWS\system32\kfxsyrkc.ini
C:\WINDOWS\system32\knhkssli.ini
C:\WINDOWS\system32\ksppniot.ini
C:\WINDOWS\system32\lgvfchjr.ini
C:\WINDOWS\system32\lhricmke.ini
C:\WINDOWS\system32\lljynavo.ini
C:\WINDOWS\system32\lmdjngtm.ini
C:\WINDOWS\system32\lujvqpyq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\movvaerm.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nrtrodib.ini
C:\WINDOWS\system32\nwpbxeut.ini
C:\WINDOWS\system32\opdomsxw.ini
C:\WINDOWS\system32\pbkkgsrs.ini
C:\WINDOWS\system32\pwgpcdlm.ini
C:\WINDOWS\system32\qkuyqthn.ini
C:\WINDOWS\system32\sadvdglj.ini
C:\WINDOWS\system32\sfjrsmms.ini
C:\WINDOWS\system32\siwfyjkv.ini
C:\WINDOWS\system32\ttnrdmfx.ini
C:\WINDOWS\system32\uwccofyr.ini
C:\WINDOWS\system32\vgdwnlpm.ini
C:\WINDOWS\system32\vhknofli.ini
C:\WINDOWS\system32\wdfipaoh.ini
C:\WINDOWS\system32\wdytknhn.ini
C:\WINDOWS\system32\xeagouco.ini
C:\WINDOWS\system32\yaswkguh.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-27 16:07 . 2008-07-27 16:07 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-27 16:07 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-07-27 16:07 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-07-27 16:07 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-07-27 16:06 . 2008-07-27 16:06 <DIR> d-------- C:\Program Files\THQ
2008-07-27 16:05 . 2008-07-27 16:05 <DIR> d-------- C:\Documents and Settings\Erik\Application Data\InstallShield
2008-07-26 06:57 . 2008-07-26 06:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-23 18:52 . 2008-07-23 18:52 <DIR> d-------- C:\Documents and Settings\Amy\Application Data\Malwarebytes
2008-07-23 08:41 . 2008-07-23 08:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 08:41 . 2008-07-23 08:41 <DIR> d-------- C:\Documents and Settings\Erik\Application Data\Malwarebytes
2008-07-23 08:41 . 2008-07-23 08:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-23 08:41 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-23 08:41 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 21:46 . 1995-12-15 02:10 346,112 -ra------ C:\WINDOWS\system\QTIM32.DLL
2008-07-22 21:46 . 2008-07-22 21:46 553 --a------ C:\WINDOWS\WININI.QTW
2008-07-22 21:46 . 2008-07-22 21:46 227 --a------ C:\WINDOWS\SYSINI.QTW
2008-07-22 21:46 . 2008-07-22 22:03 203 --a------ C:\WINDOWS\QTW.INI
2008-07-22 20:36 . 2008-07-22 21:45 <DIR> d-------- C:\Program Files\Myst
2008-07-22 19:39 . 2008-07-22 19:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg8
2008-07-21 16:54 . 1994-09-21 06:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
2008-07-21 09:14 . 2008-07-21 13:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-21 09:07 . 2008-07-21 09:07 <DIR> d-------- C:\Program Files\AVG
2008-07-20 08:44 . 2008-07-20 08:44 <DIR> d-------- C:\_OTMoveIt
2008-07-18 20:05 . 2008-07-21 13:04 <DIR> d-------- C:\VundoFix Backups
2008-07-18 19:53 . 2008-07-18 19:53 <DIR> d-------- C:\Program Files\Avira
2008-07-18 19:53 . 2008-07-22 20:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-07-18 19:49 . 2008-07-18 19:49 1,254 --ahs---- C:\WINDOWS\system32\khqyybcx.ini
2008-07-18 19:46 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-16 19:45 . 2008-07-16 19:45 1,074 --ahs---- C:\WINDOWS\system32\kndqiphe.ini
2008-07-15 19:42 . 2008-07-16 19:43 1,014 --ahs---- C:\WINDOWS\system32\xguvhcdj.ini
2008-07-14 19:40 . 2008-07-14 23:57 954 --ahs---- C:\WINDOWS\system32\uolcqian.ini
2008-07-09 20:09 . 2008-07-14 19:38 714 --ahs---- C:\WINDOWS\system32\vrvvvyoo.ini
2008-06-02 08:59 . 2008-06-02 09:00 894 --ahs---- C:\WINDOWS\system32\nbgomeeg.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-26 13:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-24 03:40 --------- d-----w C:\Program Files\Unlocker
2008-07-23 05:02 --------- d-----w C:\Program Files\QuickTime
2008-07-23 05:01 --------- d-----w C:\Program Files\Apple Software Update
2008-07-23 04:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-19 02:46 --------- d-----w C:\Program Files\Java
2008-05-16 18:51 3,878 --sha-w C:\WINDOWS\system32\krjkbgga.tmp
2008-05-08 00:07 96 ----a-w C:\Documents and Settings\Erik\File List Generator.bat
2008-04-18 01:42 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-13 19:44 114,688 -c--a-w C:\WINDOWS\system32\wmatimer.dll
2008-04-18 02:00 80 --sh--r C:\WINDOWS\system32\115F54CB1A.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 20:58 68856]
"Steam"="f:\program files\steam\steam.exe" [2008-04-06 20:25 1271032]
"Toggler"="F:\Program Files\togglr10\toggler.exe" [2001-01-20 10:01 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 22:00 864256]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 21:15 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="F:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe"=
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life blue shift\\hl.exe"=
"F:\\Program Files\\Steam\\steamapps\\[email protected]\\opposing force\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Mini-stream\\Mini-stream Ripper\\Ripper.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Program Files\\Steam\\steam.exe"=
"F:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"F:\\Program Files\\Creative Memories\\Memory Manager\\Memories2.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=

S1 hidclasss;hidclasss;C:\WINDOWS\system32\drivers\hidclasss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb83f91-8e44-11db-b1b5-0020ed21c526}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll

O16 -: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
C:\WINDOWS\Downloaded Program Files\DragDropUploader.inf
C:\WINDOWS\Downloaded Program Files\Pixami Upload Control.ocx
C:\WINDOWS\Downloaded Program Files\DragDropUploadUI.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 17:22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-29 17:27:08
ComboFix-quarantined-files.txt 2008-07-30 00:26:05

Pre-Run: 1,619,513,344 bytes free
Post-Run: 1,767,190,528 bytes free

192 --- E O F --- 2008-04-30 23:13:07


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:50 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\program files\steam\steam.exe
F:\Program Files\togglr10\toggler.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Flipper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Toggler] F:\Program Files\togglr10\toggler.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotoce...ropUploader.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7138 bytes
  • 0

#21
Ltangelic
Posted 30 July 2008 - 08:48 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey basstwo,

Looks like ComboFix took out quite a bit of trash, but there are still files to remove.


1) Run CFScript to delete malicious files/services

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...32#entry1295632

Collect::
C:\WINDOWS\system32\wmatimer.dll
C:\WINDOWS\system32\khqyybcx.ini
C:\WINDOWS\system32\kndqiphe.ini
C:\WINDOWS\system32\xguvhcdj.ini
C:\WINDOWS\system32\uolcqian.ini
C:\WINDOWS\system32\vrvvvyoo.ini
C:\WINDOWS\system32\nbgomeeg.tmp
C:\WINDOWS\system32\krjkbgga.tmp

Driver::
hidclasss

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb83f91-8e44-11db-b1b5-0020ed21c526}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

2) Upload suspicious files for analysis

Please ensure you can view hidden files and folders by doing the following:

  • Go to Start>Control Panel and go under Appearances and Themes
  • Click on Folder Options and go under View tab
  • Ensure that "Show hidden files and folders" is selected and click Apply

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\Setup1.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Please do the same for the file below:

C:\WINDOWS\system32\wmatimer.dll



Fresh HijackThis log
ComboFix.txt
Virscan results
  • 0

#22
Rorschach112
Posted 03 August 2008 - 07:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#23
Rorschach112
Posted 06 August 2008 - 03:21 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP