Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have military time and virus alert on taskbar [CLOSED]


  • This topic is locked This topic is locked

#1
jf2008

jf2008

    Member

  • Member
  • PipPip
  • 24 posts
I have a virus that won't let me change the background...
has military time on task bar with "virus alert!" in all caps...
after a while it'll go dormant and reboots and shuts off every 60 seconds ( more or less ).
  • 0

Advertisements


#2
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008 and welcome to Geeks to Go,

Please read this topic, and post your logs back in this topic when you are done.
  • 0

#3
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,
I downloaded Stopzilla and ran it.
Man, what a change. I also followed instructions on how to manually change the military time... It worked.
After running Stopzilla everything's pretty much back to normal....except..

Every once in a while I'm getting this red outline ad with " Warning! Severe System Errors Detected!
The application has detected 0 Severe System Errors on your computer.

It has a "Repair Now" on the bottom right.

It's got a tiny white "x" on the top right. I click it and it goes away for about 40 minutes.


Other than this we can now log in to our emails ... check out the internet..
That sort of thing. Is there any software or instructions to identify this little red ad.
  • 0

#4
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008,
Please read the link that I gave you in my first reply, and post the logs back here. :)
  • 0

#5
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Jimmy2012,
jf2008 here, Please forgive me... I'm relatively new at this. I can follow directions but sometimes I get a little lost.
I downloaded hijack this and ran it. this is the log I recieved.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:30, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\sj652\hpupdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ares Ultra\Ares Ultra.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
O3 - Toolbar: (no name) - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iPodConverterSuite_upgrade] "C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" /upgrade
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\tjipufhh.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O4 - HKCU\..\Run: [ares ultra] C:\Program Files\Ares Ultra\Ares Ultra.exe -h
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O21 - SSODL: evgratsm - {FFCD4999-BE62-468A-AF28-C2CA423682F6} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8808 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks. Jf2008
  • 0

#6
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008,

Please forgive me... I'm relatively new at this. I can follow directions but sometimes I get a little lost.

Thats no problem, if you have any questions or just not sure about something please feel free to ask. :)

I did not see any anti-virus software on your computer. Without any anti-virus software you can get a virus more easily. I recommend that you should download a anti-virus program. Here are two to choose from(both of them are free).
AntiVir
AVG
Out of these two I would recommend AntiVir. Please only install one anti-virus on your computer at a time. Running more then one at a time can cause conflicts and can also slow your computer down. If you need any help installing one please let me know.

Also I did not see a Firewall on your computer. A firewall can help protect you from Hackers and some types of Malware. I recommend you download a firewall. Here are a few to chose from(all are free).
Comodo
Zone Alarm
OutPost
Out of these I would recommend Comodo, please only install one firewall at a time. If you need any help installing/using one of these firewalls please let me know.

Please rename HijackThis.exe to Flipper.exe. To rename a file, right click on the file and click rename.

STEP 1
I see that you have a P2P(Peer to Peer) program on your computer.While the program it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following program.(if you do not want to remove the P2P program please skip this step and go to the next one)

Please click start>control panel>add/remove programs. And remove the following programs(if present)Also remove any other P2P programs you may have.
Ares

Once you have done that please remove following folder(if present)
C:\Program Files\Ares Ultra

STEP 2
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
STEP 3
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
~~~~~~~~~~
In your next reply please have these logs.
The SDFix log
And the DSS main.txt and extra.txt
  • 0

#7
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
HI Jimmy2012,

I did step 1 = remove ares, ares tube Plus folders.

I did step 2 = I ran SDFIX and this is the report. I forget I had Stopzilla running and it sort of interfered a little.
I interupted Stopzilla and it continued with the process.
I'm starting Step 3 now.

================================================================

SDFix: Version 1.210
Run by JF1954 on Thu 07/31/2008 at 02:59

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFIX\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Service AdvPowerMgmt - Deleted
Service asc3550p - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HPGREG32.DLL - Deleted
C:\WINDOWS\SYSTEM32\HPSJ32.DLL - Deleted
C:\WINDOWS\SYSTEM32\HPSJVSET.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEAPI12.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEBAS~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPEIST~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFCMP70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFFAX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFFPX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFGIF70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFPCX70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFPNG70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LFTIF70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LTFIL70N.DLL - Deleted
C:\WINDOWS\SYSTEM32\LTKRN70N.DLL - Deleted
C:\WINDOWS\cuawsppw\1.png - Deleted
C:\WINDOWS\cuawsppw\2.png - Deleted
C:\WINDOWS\cuawsppw\3.png - Deleted
C:\WINDOWS\cuawsppw\4.png - Deleted
C:\WINDOWS\cuawsppw\5.png - Deleted
C:\WINDOWS\cuawsppw\6.png - Deleted
C:\WINDOWS\cuawsppw\7.png - Deleted
C:\WINDOWS\cuawsppw\8.png - Deleted
C:\WINDOWS\cuawsppw\9.png - Deleted
C:\WINDOWS\cuawsppw\bottom-rc.gif - Deleted
C:\WINDOWS\cuawsppw\config.png - Deleted
C:\WINDOWS\cuawsppw\content.png - Deleted
C:\WINDOWS\cuawsppw\download.gif - Deleted
C:\WINDOWS\cuawsppw\frame-bg.gif - Deleted
C:\WINDOWS\cuawsppw\frame-bottom-left.gif - Deleted
C:\WINDOWS\cuawsppw\frame-h1bg.gif - Deleted
C:\WINDOWS\cuawsppw\head.png - Deleted
C:\WINDOWS\cuawsppw\icon.png - Deleted
C:\WINDOWS\cuawsppw\indexwp.html - Deleted
C:\WINDOWS\cuawsppw\main.css - Deleted
C:\WINDOWS\cuawsppw\memory-prots.png - Deleted
C:\WINDOWS\cuawsppw\net.png - Deleted
C:\WINDOWS\cuawsppw\pc.gif - Deleted
C:\WINDOWS\cuawsppw\pc-mag.gif - Deleted
C:\WINDOWS\cuawsppw\poloska1.png - Deleted
C:\WINDOWS\cuawsppw\poloska2.png - Deleted
C:\WINDOWS\cuawsppw\poloska3.png - Deleted
C:\WINDOWS\cuawsppw\promowp1.html - Deleted
C:\WINDOWS\cuawsppw\promowp2.html - Deleted
C:\WINDOWS\cuawsppw\promowp3.html - Deleted
C:\WINDOWS\cuawsppw\promowp4.html - Deleted
C:\WINDOWS\cuawsppw\promowp5.html - Deleted
C:\WINDOWS\cuawsppw\reg.png - Deleted
C:\WINDOWS\cuawsppw\repair.png - Deleted
C:\WINDOWS\cuawsppw\scr-1.png - Deleted
C:\WINDOWS\cuawsppw\scr-2.png - Deleted
C:\WINDOWS\cuawsppw\start.png - Deleted
C:\WINDOWS\cuawsppw\styles.css - Deleted
C:\WINDOWS\cuawsppw\top-rc.gif - Deleted
C:\WINDOWS\cuawsppw\vline.gif - Deleted
C:\WINDOWS\cuawsppw\wp.png - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt10C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt126.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt128.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt12D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt133.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt135.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt137.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt18.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt20.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt22.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt24.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt26.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt27.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt28.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt29.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2D.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2E.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt2F.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt31.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.tt9A.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\.ttF.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\tmp43.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\tmp46.tmp - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\s1265.php - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\software.php - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\software.php.bat - Deleted
C:\DOCUME~1\JF1954\LOCALS~1\Temp\vistasp1.exe - Deleted
C:\WINDOWS\conf.inf - Deleted
C:\WINDOWS\Config\csrss.exe - Deleted
C:\WINDOWS\ky.sxc - Deleted
C:\WINDOWS\msa64chk.dll - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 17:05:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\wincmd\\WINCMD32.EXE"="C:\\wincmd\\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Disabled:WinDVD"
"C:\\Yahoo!\\Messenger\\YPager.exe"="C:\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Yahoo!\\Messenger\\YServer.exe"="C:\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe"="C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe:*:Enabled:hotCommCL"
"C:\\Program Files\\OUGOMessenger\\main.exe"="C:\\Program Files\\OUGOMessenger\\main.exe:*:Enabled:OUGO Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Enabled:Ares Ultra p2p for windows"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Disabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Disabled:McAfee Data Backup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Oct 2006 209 A.SHR --- "C:\BOOT.BAK"
Mon 25 Jun 2007 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 22 May 2008 1,522,387 A.SH. --- "C:\WINDOWS\system32\spkpygda.tmp"
Fri 28 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 25 Jun 2007 1,163 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Fri 28 Jul 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Mon 25 Jun 2007 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 2 Apr 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Sat 28 Jul 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Sat 28 Jul 2007 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Sat 27 Oct 2007 24,064 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL0001.tmp"
Sun 9 Dec 2007 24,064 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL0454.tmp"
Wed 19 Dec 2007 95,928,832 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL1421.tmp"
Wed 3 Jan 2007 26,112 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL2510.tmp"
Wed 19 Dec 2007 95,927,808 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL2585.tmp"
Wed 3 Jan 2007 25,600 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL3204.tmp"
Wed 3 Jan 2007 28,160 ...H. --- "C:\Documents and Settings\JF1954\My Documents\~WRL3856.tmp"
Wed 18 Jun 2003 53,248 A..H. --- "C:\Documents and Settings\jf1954.YOUR-9K1AY6X2A2\Start Menu\Programs\Startup\AutoTBar.exe"

Finished!
  • 0

#8
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Jimmy2012,
Here's the Maint.txt
===================

Deckard's System Scanner v20071014.68
Run by JF1954 on 2008-07-31 17:41:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2008-07-31 22:41:46 UTC - RP19 - Deckard's System Scanner Restore Point
18: 2008-07-31 22:39:42 UTC - RP18 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
17: 2008-07-31 19:19:32 UTC - RP17 - Avira AntiVir Personal - 7/31/2008 14:19
16: 2008-07-31 02:29:41 UTC - RP16 - Avira AntiVir Personal - 7/30/2008 21:29
15: 2008-07-31 01:32:19 UTC - RP15 - Avira AntiVir Personal - 7/30/2008 20:31


-- First Restore Point --
1: 2008-07-23 00:31:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JF1954.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:29, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\sj652\hpupdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\JF1954\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JF1954.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} - C:\WINDOWS\system32\ljJYOeFy.dll (file missing)
O2 - BHO: (no name) - {21C63899-6532-40D7-8379-7ED788B98D28} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {45931b96-a520-d10a-5b54-6ef1d2fc5cb6} - {6bc5cf2d-1fe6-45b5-a01d-025a69b13954} - C:\WINDOWS\system32\mzxlng.dll
O2 - BHO: (no name) - {6C7D8557-73CE-4AC8-89C0-96B8BA4BB668} - (no file)
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B86749C-DEC9-424F-B2A3-1F55270962FD} - C:\WINDOWS\system32\opnlKBqp.dll
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {DC3710DC-8B5F-4087-AFCD-E0973218444D} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
O3 - Toolbar: (no name) - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iPodConverterSuite_upgrade] "C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" /upgrade
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\tjipufhh.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: ljJCrPJB - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 9339 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 EvcapMaui (Emuzed EvcapMaui Device) - c:\windows\system32\drivers\evcapmau.sys <Not Verified; Emuzed, Inc.; Emuzed Maui>
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Not Verified; LT; LT V.92 Data+Fax Modem Version 8.28>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal - Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-28 07:24:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-10 08:47:00 336 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY3813N41D7A.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 14:51:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-31 14:21:32 0 d-------- C:\Program Files\Avira
2008-07-31 14:21:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-30 20:43:24 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Adobe
2008-07-30 20:27:18 4350 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-30 20:26:27 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-30 20:26:27 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-30 20:26:27 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-30 20:26:27 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-30 20:26:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-30 20:26:27 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-30 20:26:27 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-30 20:26:27 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-30 19:01:50 0 d-------- C:\Documents and Settings\JF1954\Application Data\Recordpad
2008-07-30 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\NCH Swift Sound
2008-07-30 19:01:31 0 d-------- C:\Program Files\NCH Software
2008-07-30 19:01:27 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-29 18:27:44 120448 --a------ C:\WINDOWS\system32\mzxlng.dll
2008-07-29 18:27:43 120448 --a------ C:\WINDOWS\system32\uoeecuoi.dll
2008-07-29 18:22:07 695553 --ahs---- C:\WINDOWS\system32\pqBKlnpo.ini2
2008-07-29 18:22:00 323584 --a------ C:\WINDOWS\system32\opnlKBqp.dll
2008-07-28 14:48:10 0 d-------- C:\Program Files\Albatross
2008-07-28 08:48:05 0 d-------- C:\Program Files\Lavasoft
2008-07-27 19:18:48 0 dr-h----- C:\Documents and Settings\JF1954\Recent
2008-07-27 13:59:13 635243 --ahs---- C:\WINDOWS\system32\AIPrAcdd.ini2
2008-07-25 16:47:37 116352 --a------ C:\WINDOWS\system32\pgzlhz.dll
2008-07-25 16:47:33 116352 --a------ C:\WINDOWS\system32\wnpnuyym.dll
2008-07-25 16:14:28 116352 --a------ C:\WINDOWS\system32\awsrpt.dll
2008-07-25 16:14:22 116352 --a------ C:\WINDOWS\system32\mvktdbye.dll
2008-07-25 16:02:23 0 d-------- C:\Program Files\USS
2008-07-25 16:02:21 0 --a------ C:\END
2008-07-23 21:53:31 877472 --ahs---- C:\WINDOWS\system32\lTDNonmp.ini2
2008-07-23 21:26:30 0 d-------- C:\Documents and Settings\JF1954\Application Data\Simply Super Software
2008-07-23 18:12:41 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SACore
2008-07-22 12:35:06 0 d-------- C:\Documents and Settings\JF1954\Application Data\TmpRecentIcons
2008-07-22 09:56:41 0 d-------- C:\photoshopplugins
2008-07-21 10:36:35 0 d-------- C:\WINDOWS\Splash Screens
2008-07-19 15:26:44 0 d-------- C:\Documents and Settings\JF1954\Application Data\MP3toiPodAudioBookConverter
2008-07-19 15:20:41 0 d-------- C:\Program Files\MP3ToIpodAudioBookConverter
2008-07-18 17:26:50 0 d-------- C:\Program Files\Duplicate Music Files Finder
2008-07-18 15:21:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\TuneUpMedia
2008-07-18 15:21:06 0 d-------- C:\Program Files\TuneUpMedia
2008-07-18 15:20:54 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUpMedia
2008-07-18 11:14:46 0 d-------- C:\Program Files\PowerISO
2008-07-18 11:13:45 0 d-------- C:\poweriso
2008-07-17 18:42:39 0 d-------- C:\audiobooks
2008-07-17 17:46:55 0 d-------- C:\Documents and Settings\JF1954\Application Data\McAfee
2008-07-17 17:15:52 433664 --a------ C:\ipodpatcher.exe
2008-07-17 17:15:52 13899776 --a------ C:\Firmware.bin
2008-07-07 02:40:49 56108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Find3M Report ---------------------------------------------------------------

2008-07-31 17:40:04 0 d-------- C:\Program Files\STOPzilla!
2008-07-31 08:44:52 0 d-------- C:\Program Files\Trend Micro
2008-07-30 19:08:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Lavasoft
2008-07-30 19:08:18 0 d-------- C:\Program Files\Common Files
2008-07-30 19:06:44 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-30 19:05:41 0 d-------- C:\Program Files\WorldMerge
2008-07-30 17:39:14 0 d-------- C:\Documents and Settings\JF1954\Application Data\SeekmoToolbar
2008-07-25 16:23:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\Azureus
2008-07-18 15:21:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Mozilla
2008-07-18 15:21:17 0 d-------- C:\Program Files\iTunes
2008-07-18 10:37:56 0 d-------- C:\Program Files\Xilisoft
2008-07-18 08:38:41 0 d-------- C:\Program Files\Winamp
2008-07-16 10:56:07 1 --a------ C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini
2008-07-15 18:23:30 181 --a------ C:\WINDOWS\system32\MSXGGBDRIVER.DLL
2008-07-10 18:58:00 0 d-------- C:\Program Files\Solveig Multimedia
2008-07-04 15:04:40 0 d-------- C:\Program Files\Azureus
2008-07-03 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\Adobe
2008-06-29 12:21:14 0 d-------- C:\Program Files\Bonjour
2008-06-29 12:21:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 12:02:35 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-27 07:42:47 0 d-------- C:\Program Files\Acoustica CD Label Maker
2008-06-26 16:54:13 0 d-------- C:\Program Files\WorldCast
2008-06-25 13:40:30 0 d-------- C:\Program Files\MailBoy 2004
2008-06-25 10:29:16 0 d-------- C:\Program Files\Total Training
2008-06-20 18:58:46 0 d-------- C:\Program Files\Free Submitter Pro
2008-06-20 10:38:00 0 d-------- C:\Program Files\Gallery Wizard
2008-06-01 15:03:31 1523778 --ahs---- C:\WINDOWS\system32\spkpygda.ini2
2008-05-21 00:07:10 909291 --ahs---- C:\WINDOWS\system32\MnnTwGgh.ini2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}]
C:\WINDOWS\system32\ljJYOeFy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21C63899-6532-40D7-8379-7ED788B98D28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6bc5cf2d-1fe6-45b5-a01d-025a69b13954}]
07/29/2008 06:27 120448 --a------ C:\WINDOWS\system32\mzxlng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C7D8557-73CE-4AC8-89C0-96B8BA4BB668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702EA91C-1ACF-4772-8078-18F2B2EE1031}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B86749C-DEC9-424F-B2A3-1F55270962FD}]
07/29/2008 06:22 323584 --a------ C:\WINDOWS\system32\opnlKBqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC3710DC-8B5F-4087-AFCD-E0973218444D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/04/2004 12:56]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Update 3400C"="C:\sj652\hpupdate.exe" [02/01/2002 02:33]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04/11/2003 03:25]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/28/2003 09:43]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [05/21/2003 06:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/2001 04:54]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"iPodConverterSuite_upgrade"="C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" [11/29/2007 03:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20]
"USS"="C:\Program Files\USS\USS.exe" []
"f0c81030"="C:\WINDOWS\system32\tjipufhh.dll" []
"BMf3fb23ac"="C:\WINDOWS\system32\dwacphgc.dll" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [01/06/2005 08:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07/16/2007 03:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}"= C:\WINDOWS\system32\ljJYOeFy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrPJB]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnlKBqp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-07-31 17:44:17 ------------

=======================
Here's the Extra.txt
=======================
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 511.29 MiB / 146.71 MiB
Pagefile Memory (total/avail): 1249.83 MiB / 871.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1953.98 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 106.58 GiB total, 50.58 GiB free.
D: is Fixed (FAT32) - 5.19 GiB total, 0.88 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
U: is Removable (No Media)
V: is Removable (No Media)
W: is Removable (No Media)
X: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200AB-00DYA0 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 5.2 GiB - D:
\PARTITION1 (bootable) - Installable File System - 106.58 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.)
AV: Avira AntiVir PersonalEdition v8.0.1.26 (Avira GmbH) Outdated
AV: Trend Micro PC-cillin Internet Security 2007 v15.00.1329 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\wincmd\\WINCMD32.EXE"="C:\\wincmd\\WINCMD32.EXE:*:Enabled:Windows Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Disabled:WinDVD"
"C:\\Yahoo!\\Messenger\\YPager.exe"="C:\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Yahoo!\\Messenger\\YServer.exe"="C:\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe"="C:\\Program Files\\iConferenceCL\\BIN\\hotComm.exe:*:Enabled:hotCommCL"
"C:\\Program Files\\OUGOMessenger\\main.exe"="C:\\Program Files\\OUGOMessenger\\main.exe:*:Enabled:OUGO Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Enabled:Ares Ultra p2p for windows"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe:*:Disabled:Kaspersky Anti-Virus"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Disabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Disabled:McAfee Data Backup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JF1954\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JUAN-041AFD903F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JF1954
LOGONSERVER=\\JUAN-041AFD903F
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JF1954\LOCALS~1\Temp
TMP=C:\DOCUME~1\JF1954\LOCALS~1\Temp
USERDOMAIN=JUAN-041AFD903F
USERNAME=JF1954
USERPROFILE=C:\Documents and Settings\JF1954
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

JF1954 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe"
--> "C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe"
--> "C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe"
--> "C:\Program Files\USS\unins000.exe"
--> C:\Program Files\LexmarkX73\removeX73.exe
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acoustica CD Label Maker 1.13 --> C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVI to DVD Converter --> C:\Program Files\Xilisoft\AVI to DVD Converter\Uninstall.exe
Avira AntiVir Personal - Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\setup.exe /REMOVE
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
BYOJeopardy .NET --> "C:\Program Files\BYOJeopardy_NET\unins000.exe"
BYOJeopardy 1.2.12 --> "C:\Program Files\BYOJeopardy\unins000.exe"
Camera Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\Setup.exe"
CamStudio Lossless Codec --> rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\DRIVERS\camcodec.inf
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Draw Poker Gold Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Draw Poker Gold\Uninst.isu"
Duplicate Music Files Finder 1.5.5 --> "C:\Program Files\Duplicate Music Files Finder\unins000.exe"
DVD X Copy Platinum 4.0.3 --> "C:\Program Files\321Studios\Platinum\uninstall.exe"
FoxyTunes for Firefox --> "C:\PROGRA~1\MOZILL~1\firefox.exe" -chrome chrome://foxytunes/content/extras/uninstallExtension.xul
Free Submitter Pro --> C:\PROGRA~1\FREESU~1\UNWISE.EXE C:\PROGRA~1\FREESU~1\INSTALL.LOG
Gallery Wizard --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Gallery Wizard\DeIsL1.isu" -c"C:\Program Files\Gallery Wizard\_ISREG32.DLL"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Guitar Pro 4 --> MsiExec.exe /X{54A2CFDE-DC70-46E0-92AC-DC88F6303D39}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
hp deskjet 5100 --> msiexec /x{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D}
hp deskjet 5100 series --> rundll32 hpzcon09.dll,VendorJettison hp deskjet 5100 series
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - Deskjet Series --> MsiExec.exe /I{E0828692-FD9D-459F-9312-C645C3CA6650}
HP PrecisionScan LTX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll"
hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPhoto Plus 4 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\iPhoto Plus 4\DeIsL1.isu"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
MailBoy 2004 --> "C:\WINDOWS\MailBoy 2004\uninstall.exe" "/U:C:\Program Files\MailBoy 2004\irunin.xml"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Movie Mill --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F105766C-BE5A-49AE-8461-00D3A49243EB}
Mozilla Firefox (2.0.0.16) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MyAlbum version 2.5.5 --> "C:\Program Files\MyAlbum\unins000.exe"
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 7 Premium --> MsiExec.exe /I{40261D0A-A385-4C1A-A7DE-5F270D9B1033}
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PDFCreator --> "C:\Program Files\PDFCreator\unins000.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SMTP to Simple MAPI Gateway for Group Mail --> \UNWISE.EXE \SMTPtoMAPI.LOG
The Print Shop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}\setup.exe" -l0x9 anything
TuneUp Companion 0.33 --> C:\Program Files\TuneUpMedia\Uninstall.exe
Uninstall DreamSuite Bonus --> C:\WINDOWS\unvise32.exe c:\Program Files\Adobe\Adobe Photoshop CS3\Plug-Ins\DreamSuite Bonus\DreamSuite Bonus Uninstall.log
Vstascan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{314C19E0-7FA5-11D5-A6B4-0050BA724CB6}\Setup.exe"
Winamp (Remove Only) --> C:\Program Files\Winamp\winamp.exe /UNINSTALL
Winamp Toolbar for Firefox --> "C:\Documents and Settings\JF1954\Application Data\Mozilla\Firefox\Profiles\7e6p9zg4.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Windows Commander (Remove or Repair) --> c:\wincmd\wcuninst.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WorldCast 3.1 --> "C:\Program Files\WorldCast\unins000.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Music Jukebox --> MsiExec.exe /X{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2431 / Error
Event Submitted/Written: 07/31/2008 05:18:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINCMD32.EXE, version 5.1.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2430 / Error
Event Submitted/Written: 07/31/2008 05:18:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINCMD32.EXE, version 5.1.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2428 / Warning
Event Submitted/Written: 07/31/2008 05:04:34 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
BDS/Agent.688128C:\SDFIX\SDFix\backups\csrss.exe

Event Record #/Type2416 / Warning
Event Submitted/Written: 07/31/2008 02:37:18 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Agent.2810368C:\Program Files\Ares Ultra\Ares Ultra.exe

Event Record #/Type2415 / Error
Event Submitted/Written: 07/31/2008 02:37:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application guardgui.exe, version 8.1.4.5, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10127 / Error
Event Submitted/Written: 07/31/2008 04:32:11 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
PCIIde

Event Record #/Type10125 / Error
Event Submitted/Written: 07/31/2008 04:31:38 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.64 for the Network Card with network address 000C6EE06C0D has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type10122 / Error
Event Submitted/Written: 07/31/2008 02:51:28 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
avgio
avipbb
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
ohci1394
oreans32
PCIIde
RasAcd
Rdbss
SCDEmu
ssmdrv
Tcpip
WS2IFSL

Event Record #/Type10121 / Error
Event Submitted/Written: 07/31/2008 02:51:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type10120 / Error
Event Submitted/Written: 07/31/2008 02:51:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-31 17:44:17 ------------
  • 0

#9
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008,
Please disable your Windows firewall. To do this please click Start>Control Panel>Windows Firewall, and choose Off(not recommended) then click OK.

And please uninstall AntiVir. To do this please click Start>Control Panel>Add or Remove Programs and then remove AntiVir.

STEP 1
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

STEP 2
Please rescan with DSS. To do this please double click on dss.exe and follow any prompts. When it is done it will open up one notepad main.txt. Please copy/paste the text in main.txt in your next reply.
~~~~~~~~~~
In your next reply please have these logs.
The VundoFix log
And the DSS main.txt
  • 0

#10
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,
I ran VundoFix and got the message that it had not encountered any files. I went to c:\VundoFix but the directory was empty. I ran DSS again ( hijack ). Here are the 2 txt files. Thanks !!!!!!!!!
=================================================

Deckard's System Scanner v20071014.68
Run by JF1954 on 2008-08-01 07:49:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as JF1954.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:22, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\sj652\hpupdate.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\JF1954\Desktop\dss(2).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JF1954.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://kingkongsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} - C:\WINDOWS\system32\ljJYOeFy.dll (file missing)
O2 - BHO: (no name) - {21C63899-6532-40D7-8379-7ED788B98D28} - (no file)
O2 - BHO: {d752f383-8f5c-34f8-3ee4-d9f378e97183} - {38179e87-3f9d-4ee3-8f43-c5f8383f257d} - C:\WINDOWS\system32\yhhvdu.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {63357EE9-0129-43B2-801A-97C80F7435BF} - C:\WINDOWS\system32\opnlKBqp.dll (file missing)
O2 - BHO: (no name) - {6C7D8557-73CE-4AC8-89C0-96B8BA4BB668} - (no file)
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {DC3710DC-8B5F-4087-AFCD-E0973218444D} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (file missing)
O3 - Toolbar: (no name) - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Update 3400C] C:\sj652\hpupdate.exe 3400C
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iPodConverterSuite_upgrade] "C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" /upgrade
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\uebnodor.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - Winlogon Notify: ljJCrPJB - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8522 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 07:32:18 0 d-------- C:\VundoFix Backups
2008-07-31 18:27:13 120960 --a------ C:\WINDOWS\system32\yhhvdu.dll
2008-07-31 18:27:12 120960 --a------ C:\WINDOWS\system32\avkwndar.dll
2008-07-31 18:24:12 99712 --a------ C:\WINDOWS\system32\uebnodor.dll
2008-07-31 14:51:34 0 d-------- C:\WINDOWS\ERUNT
2008-07-30 20:43:24 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Adobe
2008-07-30 20:27:18 4350 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-30 20:26:27 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-30 20:26:27 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-30 20:26:27 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-30 20:26:27 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-30 20:26:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-30 20:26:27 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-30 20:26:27 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-30 20:26:27 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-30 19:01:50 0 d-------- C:\Documents and Settings\JF1954\Application Data\Recordpad
2008-07-30 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\NCH Swift Sound
2008-07-30 19:01:31 0 d-------- C:\Program Files\NCH Software
2008-07-30 19:01:27 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-29 18:27:44 120448 --a------ C:\WINDOWS\system32\mzxlng.dll
2008-07-29 18:27:43 120448 --a------ C:\WINDOWS\system32\uoeecuoi.dll
2008-07-29 18:22:07 625938 --ahs---- C:\WINDOWS\system32\pqBKlnpo.ini2
2008-07-28 14:48:10 0 d-------- C:\Program Files\Albatross
2008-07-28 08:48:05 0 d-------- C:\Program Files\Lavasoft
2008-07-27 19:18:48 0 dr-h----- C:\Documents and Settings\JF1954\Recent
2008-07-27 13:59:13 635243 --ahs---- C:\WINDOWS\system32\AIPrAcdd.ini2
2008-07-25 16:02:23 0 d-------- C:\Program Files\USS
2008-07-25 16:02:21 0 --a------ C:\END
2008-07-23 21:53:31 877472 --ahs---- C:\WINDOWS\system32\lTDNonmp.ini2
2008-07-23 21:26:30 0 d-------- C:\Documents and Settings\JF1954\Application Data\Simply Super Software
2008-07-23 18:12:41 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SACore
2008-07-22 12:35:06 0 d-------- C:\Documents and Settings\JF1954\Application Data\TmpRecentIcons
2008-07-22 09:56:41 0 d-------- C:\photoshopplugins
2008-07-21 10:36:35 0 d-------- C:\WINDOWS\Splash Screens
2008-07-19 15:26:44 0 d-------- C:\Documents and Settings\JF1954\Application Data\MP3toiPodAudioBookConverter
2008-07-19 15:20:41 0 d-------- C:\Program Files\MP3ToIpodAudioBookConverter
2008-07-18 17:26:50 0 d-------- C:\Program Files\Duplicate Music Files Finder
2008-07-18 15:21:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\TuneUpMedia
2008-07-18 15:21:06 0 d-------- C:\Program Files\TuneUpMedia
2008-07-18 15:20:54 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUpMedia
2008-07-18 11:14:46 0 d-------- C:\Program Files\PowerISO
2008-07-18 11:13:45 0 d-------- C:\poweriso
2008-07-17 18:42:39 0 d-------- C:\audiobooks
2008-07-17 17:46:55 0 d-------- C:\Documents and Settings\JF1954\Application Data\McAfee
2008-07-17 17:15:52 433664 --a------ C:\ipodpatcher.exe
2008-07-17 17:15:52 13899776 --a------ C:\Firmware.bin
2008-07-07 02:40:49 56108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Find3M Report ---------------------------------------------------------------

2008-07-31 17:40:04 0 d-------- C:\Program Files\STOPzilla!
2008-07-31 08:44:52 0 d-------- C:\Program Files\Trend Micro
2008-07-30 19:08:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Lavasoft
2008-07-30 19:08:18 0 d-------- C:\Program Files\Common Files
2008-07-30 19:06:44 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-30 19:05:41 0 d-------- C:\Program Files\WorldMerge
2008-07-30 17:39:14 0 d-------- C:\Documents and Settings\JF1954\Application Data\SeekmoToolbar
2008-07-25 16:23:58 0 d-------- C:\Documents and Settings\JF1954\Application Data\Azureus
2008-07-18 15:21:51 0 d-------- C:\Documents and Settings\JF1954\Application Data\Mozilla
2008-07-18 15:21:17 0 d-------- C:\Program Files\iTunes
2008-07-18 10:37:56 0 d-------- C:\Program Files\Xilisoft
2008-07-18 08:38:41 0 d-------- C:\Program Files\Winamp
2008-07-16 10:56:07 1 --a------ C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini
2008-07-15 18:23:30 181 --a------ C:\WINDOWS\system32\MSXGGBDRIVER.DLL
2008-07-10 18:58:00 0 d-------- C:\Program Files\Solveig Multimedia
2008-07-04 15:04:40 0 d-------- C:\Program Files\Azureus
2008-07-03 19:01:47 0 d-------- C:\Documents and Settings\JF1954\Application Data\Adobe
2008-06-29 12:21:14 0 d-------- C:\Program Files\Bonjour
2008-06-29 12:21:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 12:02:35 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-27 07:42:47 0 d-------- C:\Program Files\Acoustica CD Label Maker
2008-06-26 16:54:13 0 d-------- C:\Program Files\WorldCast
2008-06-25 13:40:30 0 d-------- C:\Program Files\MailBoy 2004
2008-06-25 10:29:16 0 d-------- C:\Program Files\Total Training
2008-06-20 18:58:46 0 d-------- C:\Program Files\Free Submitter Pro
2008-06-20 10:38:00 0 d-------- C:\Program Files\Gallery Wizard
2008-06-01 15:03:31 1523778 --ahs---- C:\WINDOWS\system32\spkpygda.ini2
2008-05-21 00:07:10 909291 --ahs---- C:\WINDOWS\system32\MnnTwGgh.ini2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}]
C:\WINDOWS\system32\ljJYOeFy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21C63899-6532-40D7-8379-7ED788B98D28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38179e87-3f9d-4ee3-8f43-c5f8383f257d}]
07/31/2008 06:27 120960 --a------ C:\WINDOWS\system32\yhhvdu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63357EE9-0129-43B2-801A-97C80F7435BF}]
C:\WINDOWS\system32\opnlKBqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C7D8557-73CE-4AC8-89C0-96B8BA4BB668}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{702EA91C-1ACF-4772-8078-18F2B2EE1031}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B904910-78A4-489D-A825-5111B883A5B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC3710DC-8B5F-4087-AFCD-E0973218444D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/04/2004 12:56]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 C:\WINDOWS\ALCXMNTR.EXE]
"HP Update 3400C"="C:\sj652\hpupdate.exe" [02/01/2002 02:33]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04/11/2003 03:25]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/28/2003 09:43]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [05/21/2003 06:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/2001 04:54]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"iPodConverterSuite_upgrade"="C:\Program Files\E-Zsoft\iPodConverterSuite\iPodConverterSuite.exe" [11/29/2007 03:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20]
"USS"="C:\Program Files\USS\USS.exe" []
"f0c81030"="C:\WINDOWS\system32\uebnodor.dll" [07/31/2008 06:24]
"BMf3fb23ac"="C:\WINDOWS\system32\dwacphgc.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [01/06/2005 08:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07/16/2007 03:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}"= C:\WINDOWS\system32\ljJYOeFy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrPJB]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnlKBqp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-08-01 07:49:47 ------------

======================================================
EXTRA.TXT
======================================================
NO EXTRA.TXT File was visable on the desktop
  • 0

Advertisements


#11
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008,
Please let me know in your next reply, do you know what this file is or used for?
C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
STEP 1
I see that you have a P2P(Peer to Peer) program on your computer.While the programs it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following program.(if you do not want to remove the P2P programs please skip this step and go to the next one)

Please click start>control panel>add/remove programs. And remove the following program(if present)Also remove any other P2P programs you may have.
Azureus

Once you have done that please remove following folders(if present)
C:\Documents and Settings\JF1954\Application Data\Azureus
C:\Program Files\Azureus

STEP 2
Please reopen HijackThis and click on Do a system scan only.And put a check next to the following entries.

O2 - BHO: (no name) - {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} - C:\WINDOWS\system32\ljJYOeFy.dll (file missing)
O2 - BHO: (no name) - {21C63899-6532-40D7-8379-7ED788B98D28} - (no file)
O2 - BHO: {d752f383-8f5c-34f8-3ee4-d9f378e97183} - {38179e87-3f9d-4ee3-8f43-c5f8383f257d} - C:\WINDOWS\system32\yhhvdu.dll
O2 - BHO: (no name) - {63357EE9-0129-43B2-801A-97C80F7435BF} - C:\WINDOWS\system32\opnlKBqp.dll (file missing)
O2 - BHO: (no name) - {6C7D8557-73CE-4AC8-89C0-96B8BA4BB668} - (no file)
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {DC3710DC-8B5F-4087-AFCD-E0973218444D} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [f0c81030] rundll32.exe "C:\WINDOWS\system32\uebnodor.dll",b
O4 - HKLM\..\Run: [BMf3fb23ac] Rundll32.exe "C:\WINDOWS\system32\dwacphgc.dll",s
O20 - Winlogon Notify: ljJCrPJB - C:\WINDOWS\

Once you have the checks in those entries please make sure all open windows are closed(keep HijackThis open) and click Fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click yes. After you have fixed those entires you can close HijackThis.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\mzxlng.dll
    C:\WINDOWS\system32\uoeecuoi.dll
    C:\WINDOWS\system32\pqBKlnpo.ini2
    C:\WINDOWS\system32\opnlKBqp.dll
    C:\WINDOWS\system32\AIPrAcdd.ini2
    C:\WINDOWS\system32\pgzlhz.dll
    C:\WINDOWS\system32\wnpnuyym.dll
    C:\WINDOWS\system32\awsrpt.dll
    C:\WINDOWS\system32\mvktdbye.dll
    C:\WINDOWS\system32\lTDNonmp.ini2
    C:\Documents and Settings\JF1954\Application Data\SeekmoToolbar
    C:\WINDOWS\system32\spkpygda.ini2
    C:\WINDOWS\system32\MnnTwGgh.ini2
    C:\END
    C:\WINDOWS\system32\MSXGGBDRIVER.DLL
    C:\WINDOWS\system32\yhhvdu.dll
    C:\WINDOWS\system32\avkwndar.dll
    C:\WINDOWS\system32\uebnodor.dll
    C:\WINDOWS\system32\dwacphgc.dll
    C:\Program Files\USS
    C:\Windows\System32\ALCXMNTR.EXE
    D:\Info.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 3
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Then double click on the fix.reg file, when it prompts to merge click "Yes".

STEP 4
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
STEP 5
Click on Start>Run. And then copy and paste the following in bold in the open window and then click OK.
"%userprofile%\desktop\dss.exe" /daft
Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

Next please rescan with DSS. To do this please double click on dss.exe and follow any prompts. When it is done it will open up one notepad main.txt. Please copy/paste the text in main.txt in your next reply.
~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
The VirScan log
And the DSS main.txt
  • 0

#12
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,
I got stuck!
I went to this part of the instructions and nothing happens... it won't load. I pasted it in ... tried it and nothing.... I saved the line into a text file and tried it and it won't load. What now?

Here's the part I'm referring to :
====================================
Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


C:\Documents and Settings\JF1954\Application Data\FrontEndCD.ini

===================================
  • 0

#13
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello jf2008,
After you paste it in, and click the upload button it may take a little while. It has to upload the file and then scan the file, so if you could please let it sit there for a little bit and see if it scans it.
  • 0

#14
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I'll be away for a while.... I'll get back on it later today!
Thanks!!!!!!

I haven't given up! John.
  • 0

#15
jf2008

jf2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi,
I got back at about 5:30 pm and set it up. I kept checking it to see the progress but nothing happened.

I kept everyone off the computer until about 9:00 pm and still no activity or report. How else can I try?

I off to church this morning and lunch with family. I'll check in at about 3 or 4 p.m. John.

Thanks for all your help!!!!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP