Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

anitspywaremaster, privacy protector, powerantivirus, viruswebprotect2


  • This topic is locked This topic is locked

#1
mitch_just_is

mitch_just_is

    Member

  • Member
  • PipPip
  • 28 posts
Hello. Can anybody help me fix my PC, which is totally riddled by so many spyware files it's bordering on ridiculous? My desktop's all messed up (erased all my programs, can't right-click, no desktop picture), I can't open up my Task Manager using Ctrl+Alt+Del, and emptied out the programs from Start tab (my All Programs is gone!), among other things. :)

Here's to hoping that you guys can salvage my precious PC. :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:14: VIRUS ALERT!, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: QXK Olive - {79800AD8-CFDD-4F0F-B0CA-A136F04D90D9} - C:\WINDOWS\nfavxwdbolx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: fdkowvbp - {2A071B1F-95AD-467B-9463-64DA449CB769} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fab%20Fashion/Images/stg_drm.ocx
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.co...eb.1.0.0.13.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard..../tyscan/nps.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105w.bay105...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Wedding%20Dash/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O21 - SSODL: eqvwamkl - {40AAEE1B-9B05-41E5-BA89-15D173D1E4DC} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 10204 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
SDFix: Version 1.212
Run by User on Sun 08/03/2008 at 22:16

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value
Restoring Windows ProductId To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\PHCJ5J~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BLPHCJ~1.SCR - Deleted
C:\WINDOWS\EWTL.EXE - Deleted
C:\Documents and Settings\User\Application Data\Macromedia\Flash

Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk -

Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP

2008.lnk - Deleted
C:\Documents and Settings\User\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\User\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\User\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\User\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\User\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\User\Desktop\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2AE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2CA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2F4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2AD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2D2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt2FB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\.tt6.tmp.vbs - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP33.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP40.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP42.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP43.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP44.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP62.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP63.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP54.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP55.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP64.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP65.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP66.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP60.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP61.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP67.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP68.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP69.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP51.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP49.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP53.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP34.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP19.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP35.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP1F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP24.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP25.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP26.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP27.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP28.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP29.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP2F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP30.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP31.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP20.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP36.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP37.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP38.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP39.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP3D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP41.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP45.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP57.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP47.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP48.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP50.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP52.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP56.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP58.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP59.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP73.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP21.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP22.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP23.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP74.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP32.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP86.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP87.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP46.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP71.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP6F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP70.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP72.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP80.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP75.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP76.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP78.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP77.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP83.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP84.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP90.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP91.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP79.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP7F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP81.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP82.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP85.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP88.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP89.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP92.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP93.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP8F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP94.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP97.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP95.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP98.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9C.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP96.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9F.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9D.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPB7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP99.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9A.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9B.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMP9E.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPA7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPAE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPBF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPC5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPCE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPD8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE1.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPDB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPEA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPEC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPEB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPED.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPE8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPEE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF0.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF2.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF3.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPEF.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF4.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF5.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF6.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF7.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF8.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPF9.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFA.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFB.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFC.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFD.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFE.tmp - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\TMPFF.tmp - Deleted
C:\WINDOWS\nfavxwdbolx.dll - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted
C:\DOCUME~1\User\LOCALS~1\Temp\s1265.php.bat - Deleted
C:\WINDOWS\eqvwamkl.dll - Deleted
C:\WINDOWS\fdkowvbp.dll - Deleted
C:\WINDOWS\grswptdl.exe - Deleted
C:\WINDOWS\wnslvxtf.dll - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted



Folder C:\Documents and Settings\User\Application Data\Macromedia\Flash

Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed
Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed
Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 22:23:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardp

rofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG

Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG

Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG

Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG

Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program

Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program

Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Java\\jre1.5.0_10\\BIN\\javaw.exe"="C:\\Program

Files\\Java\\jre1.5.0_10\\BIN\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program

Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN

Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet

Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"="C:\\Program Files\\Ocean

Technology\\GG E-Sports Platform\\GGclient.exe:*:Enabled:GG E-Sports Platform Client"
"C:\\Program Files\\Warcraft III\\War3.exe"="C:\\Program Files\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\SupaSupa, AERO-REVO!\\SupaSupa.exe"="C:\\Program Files\\SupaSupa,

AERO-REVO!\\SupaSupa.exe:*:Enabled:SupaSupa"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh

Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\sysreset\\mirc.exe"="C:\\sysreset\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program

Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"="C:\\Program Files\\Dragonfly\\Special

Force\\specialforce.exe:*:Enabled:specialforce"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program

Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program

Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft ® Visual

Studio VSA RPC Event Creator"
"C:\\Program Files\\Garena\\Garena.exe"="C:\\Program Files\\Garena\\Garena.exe:*:Enabled:Garena"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainpr

ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN

Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 23 Apr 1999 93,890 ..SH. --- "C:\COMMAND.COM"
Tue 6 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0759.tmp"
Sun 16 Mar 2008 274,944 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3106.tmp"
Sun 16 Mar 2008 273,920 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1493.tmp"
Sun 16 Mar 2008 376,832 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3048.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0164.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2607.tmp"
Sun 16 Mar 2008 24,064 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2922.tmp"
Sun 16 Mar 2008 24,576 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0054.tmp"
Sun 16 Mar 2008 25,088 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3188.tmp"
Sun 16 Mar 2008 25,088 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1276.tmp"
Sun 16 Mar 2008 25,088 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2359.tmp"
Sun 16 Mar 2008 25,600 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1555.tmp"
Sun 16 Mar 2008 26,624 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1491.tmp"
Sun 16 Mar 2008 28,160 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2107.tmp"
Sun 16 Mar 2008 30,720 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1487.tmp"
Sun 16 Mar 2008 32,256 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0853.tmp"
Sun 16 Mar 2008 291,840 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2568.tmp"
Sun 16 Mar 2008 294,400 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0433.tmp"
Sun 16 Mar 2008 307,200 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0658.tmp"
Mon 17 Mar 2008 72,192 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0536.tmp"
Mon 17 Mar 2008 83,456 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3413.tmp"
Mon 17 Mar 2008 312,832 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3507.tmp"
Mon 17 Mar 2008 325,120 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3523.tmp"
Mon 17 Mar 2008 82,944 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3319.tmp"
Mon 24 Mar 2008 439,296 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3968.tmp"
Mon 24 Mar 2008 440,832 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1419.tmp"
Mon 25 Feb 2008 31,744 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3052.tmp"
Sun 16 Mar 2008 51,712 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1909.tmp"
Sun 16 Mar 2008 52,736 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0781.tmp"
Sun 16 Mar 2008 52,736 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL3956.tmp"
Sun 16 Mar 2008 54,272 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0220.tmp"
Sun 16 Mar 2008 54,272 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0971.tmp"
Sun 16 Mar 2008 54,784 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2428.tmp"
Sun 16 Mar 2008 55,808 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0199.tmp"
Sat 15 Mar 2008 125,952 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL4031.tmp"
Sun 16 Mar 2008 125,952 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL0901.tmp"
Sun 16 Mar 2008 189,440 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2073.tmp"
Sun 16 Mar 2008 190,976 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL1992.tmp"
Sun 16 Mar 2008 258,560 ...H. --- "C:\Documents and Settings\User\My Documents\school\IS

134.6\~WRL2263.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\User\Application Data\U3\temp\Launchpad

Removal.exe"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\tumbong\Application

Data\U3\temp\Launchpad Removal.exe"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Guest 2\Application

Data\U3\temp\Launchpad Removal.exe"

Finished!






Deckard's System Scanner v20071014.68
Run by User on 2008-08-03 22:28:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-03 14:28:10 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-08-03 08:19:31 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:24, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fab%20Fashion/Images/stg_drm.ocx
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.co...eb.1.0.0.13.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard..../tyscan/nps.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105w.bay105...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Wedding%20Dash/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 9660 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080803-205332-432 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20080803-205711-555 O21 - SSODL: wnslvxtf - {723A27A8-1BE4-4C02-B2C0-ABDDE1DAEE34} - C:\WINDOWS\wnslvxtf.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)

S3 EP518P (EZPhone Cam) - c:\windows\system32\drivers\ep518vid.sys <Not Verified; OmniVision Technologies, Inc.; OmniVision Technologies, Inc. USB Dual-Mode Camera>
S3 npkcrypt - c:\program files\gravity\ragnarokonline\npkcrypt.sys (file missing)
S3 npkycryp - c:\program files\gravity\ro\npkycryp.sys (file missing)
S3 PCAlertDriver - c:\biostools\ntglm7x.sys <Not Verified; Your Corporation; Your Product Name>
S3 UTS2pl (Motorola Serial port driver) - c:\windows\system32\drivers\uts2pl.sys <Not Verified; Prolific Technology Inc.; USB-Serial data down load Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 22:11:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 22:11:05 0 d-------- C:\WINDOWS\ERUNT
2008-08-03 20:21:01 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:30:11 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 17:19:20 0 d--hs---- C:\FOUND.002
2008-08-03 16:18:28 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-29 18:32:02 0 d-------- C:\Documents and Settings\Guest 2\Application Data\U3
2008-07-26 13:33:08 0 d-------- C:\Documents and Settings\User\Application Data\Jane s Hotel Family Hero
2008-07-25 23:52:49 0 d-------- C:\Program Files\Garena
2008-07-25 23:52:12 0 d-------- C:\Documents and Settings\User\Application Data\InstallShield
2008-07-25 23:29:26 64313 --a------ C:\WINDOWS\War3Unin.dat
2008-07-25 23:29:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-25 23:29:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-25 23:25:20 0 d-------- C:\Program Files\Warcraft III
2008-07-23 23:11:46 0 d-------- C:\Program Files\Democracy
2008-07-12 22:20:59 0 d-------- C:\Documents and Settings\User\Application Data\GamesCafe
2008-07-12 22:16:55 0 d-------- C:\Program Files\CLUE Classic
2008-07-12 11:41:16 0 d-------- C:\Program Files\Web Publish
2008-07-11 23:41:12 0 d-------- C:\My Installations
2008-07-11 23:41:11 143360 --a------ C:\WINDOWS\system32\isdbgi51.dll <Not Verified; InstallShield Software Corporation; InstallShield®>
2008-07-11 22:51:36 140048 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 135168 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-07-11 22:51:36 42496 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-07-11 22:51:30 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-07-11 22:51:29 147456 --a------ C:\WINDOWS\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-07-11 22:51:29 207872 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 73728 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft JDBC Bridge>
2008-07-11 22:51:29 843024 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 155920 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 14848 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 361744 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 32528 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 154112 --a------ C:\WINDOWS\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:27 209168 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:26 44544 --a------ C:\WINDOWS\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:25 103424 --a------ C:\WINDOWS\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft ® CAB File Extract Utility>
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Saved Games
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\User\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games


-- Find3M Report ---------------------------------------------------------------

2008-07-17 23:59:54 212 --a------ C:\WINDOWS\recover.reg
2008-06-22 23:26:40 0 d-------- C:\Documents and Settings\User\Application Data\Sandlot Games
2008-06-22 22:22:34 0 d-------- C:\Program Files\GameHouse
2008-06-22 17:38:00 0 d-------- C:\Documents and Settings\User\Application Data\dvdcss
2008-06-21 14:57:20 0 d-------- C:\Program Files\QuickFix
2008-06-20 22:02:48 0 d-------- C:\Program Files\BFG
2008-06-20 21:58:56 0 d-------- C:\Program Files\Chocolatier
2008-06-20 21:19:46 0 d-------- C:\Program Files\ReflexiveArcade
2008-06-11 21:55:56 0 --a------ C:\Program Files\temp01


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50]
"AVG7_CC"="C:\PROGRA~1
  • 0

#4
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
my PC looks like it's normal again. is it? is it? :)
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Not yet

Post the extra text and do this


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\FOUND.002
    C:\Program Files\temp01
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Also post a new DSS log
  • 0

#6
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Explorer killed successfully
C:\FOUND.002 moved successfully.
C:\Program Files\temp01 moved successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF798F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF5A3B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF8974.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF899F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_434.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08032008_233132

Files moved on Reboot...
C:\DOCUME~1\User\LOCALS~1\Temp\~DF798F.tmp moved successfully.
C:\DOCUME~1\User\LOCALS~1\Temp\~DF5A3B.tmp moved successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF8974.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF899F.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_434.dat not found!





Deckard's System Scanner v20071014.68
Run by User on 2008-08-03 23:39:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:39:56, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fab%20Fashion/Images/stg_drm.ocx
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.co...eb.1.0.0.13.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard..../tyscan/nps.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105w.bay105...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Wedding%20Dash/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 9680 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 22:11:05 0 d-------- C:\WINDOWS\ERUNT
2008-08-03 20:21:01 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:30:11 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 16:18:28 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-29 18:32:02 0 d-------- C:\Documents and Settings\Guest 2\Application Data\U3
2008-07-26 13:33:08 0 d-------- C:\Documents and Settings\User\Application Data\Jane s Hotel Family Hero
2008-07-25 23:52:49 0 d-------- C:\Program Files\Garena
2008-07-25 23:52:12 0 d-------- C:\Documents and Settings\User\Application Data\InstallShield
2008-07-25 23:29:26 64313 --a------ C:\WINDOWS\War3Unin.dat
2008-07-25 23:29:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-25 23:29:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-25 23:25:20 0 d-------- C:\Program Files\Warcraft III
2008-07-23 23:11:46 0 d-------- C:\Program Files\Democracy
2008-07-12 22:20:59 0 d-------- C:\Documents and Settings\User\Application Data\GamesCafe
2008-07-12 22:16:55 0 d-------- C:\Program Files\CLUE Classic
2008-07-12 11:41:16 0 d-------- C:\Program Files\Web Publish
2008-07-11 23:41:12 0 d-------- C:\My Installations
2008-07-11 23:41:11 143360 --a------ C:\WINDOWS\system32\isdbgi51.dll <Not Verified; InstallShield Software Corporation; InstallShield®>
2008-07-11 22:51:36 140048 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 135168 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-07-11 22:51:36 42496 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-07-11 22:51:30 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-07-11 22:51:29 147456 --a------ C:\WINDOWS\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-07-11 22:51:29 207872 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 73728 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft JDBC Bridge>
2008-07-11 22:51:29 843024 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 155920 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 14848 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 361744 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 32528 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 154112 --a------ C:\WINDOWS\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:27 209168 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:26 44544 --a------ C:\WINDOWS\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:25 103424 --a------ C:\WINDOWS\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft ® CAB File Extract Utility>
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Saved Games
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\User\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games


-- Find3M Report ---------------------------------------------------------------

2008-07-17 23:59:54 212 --a------ C:\WINDOWS\recover.reg
2008-06-22 23:26:40 0 d-------- C:\Documents and Settings\User\Application Data\Sandlot Games
2008-06-22 22:22:34 0 d-------- C:\Program Files\GameHouse
2008-06-22 17:38:00 0 d-------- C:\Documents and Settings\User\Application Data\dvdcss
2008-06-21 14:57:20 0 d-------- C:\Program Files\QuickFix
2008-06-20 22:02:48 0 d-------- C:\Program Files\BFG
2008-06-20 21:58:56 0 d-------- C:\Program Files\Chocolatier
2008-06-20 21:19:46 0 d-------- C:\Program Files\ReflexiveArcade


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/30/2008 12:22]
"SetRefresh"="C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe" [11/20/2003 18:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/30/2007 01:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/09/2003 02:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 17:43]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 18:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 12:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Knight]
C:\WINDOWS\Knight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krag]
C:\WINDOWS\krag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcj5jj0e3k0]
C:\WINDOWS\system32\lphcj5jj0e3k0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcn5jj0e3k0]
C:\Program Files\rhcn5jj0e3k0\rhcn5jj0e3k0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15be51ca-1f13-11dc-9659-001617cac78d}]
auto\command- E:\Knight.exe open
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
explore\command- E:\Knight.exe open
find\command- E:\Knight.exe open
install\command- E:\Knight.exe open
open\command- E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d434807-a6c3-11db-9481-001617cac78d}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
é_†™\command- NETSVCS.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aeb0488-aaf2-11dc-9877-001617cac78d}]
auto\command- E:\Knight.exe open
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
explore\command- E:\Knight.exe open
find\command- E:\Knight.exe open
install\command- E:\Knight.exe open
open\command- E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{652a2473-2d3c-11dd-9a13-001617cac78d}]
auto\command- Knight.exe open
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
explore\command- Knight.exe open
find\command- Knight.exe open
install\command- Knight.exe open
open\command- Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2afa252-aacc-11db-948e-001617cac78d}]
AutoRun\command- New Document.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9cae954-45e3-11dc-96f5-001617cac78d}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- E:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b994fc66-7997-11dc-97bf-001617cac78d}]
0pen\command- krag.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5137c90-0256-11dd-9991-001617cac78d}]
AutoRun\command- bar311.exe %1
Explore\command- bar311.exe %1
Open\command- bar311.exe %1




-- End of Deckard's System Scanner: finished at 2008-08-03 23:40:15 ------------
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do you have the extra.text from the first time you ran DSS ?


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Knight
    C:\WINDOWS\Knight.exe
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krag
    C:\WINDOWS\krag.exe
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcj5jj0e3k0
    C:\WINDOWS\system32\lphcj5jj0e3k0.exe
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcn5jj0e3k0
    C:\Program Files\rhcn5jj0e3k0
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15be51ca-1f13-11dc-9659-001617cac78d}
    E:\Knight.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d434807-a6c3-11db-9481-001617cac78d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aeb0488-aaf2-11dc-9877-001617cac78d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{652a2473-2d3c-11dd-9a13-001617cac78d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2afa252-aacc-11db-948e-001617cac78d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9cae954-45e3-11dc-96f5-001617cac78d}
    E:\Recycled\ctfmon.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b994fc66-7997-11dc-97bf-001617cac78d}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5137c90-0256-11dd-9991-001617cac78d}
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and post a new DSS log
  • 0

#8
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
:) oh was i supposed to save that one extra.txt? i didn't! whoops.

Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Knight >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Knight\\ deleted successfully.
File/Folder C:\WINDOWS\Knight.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krag >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krag\\ deleted successfully.
File/Folder C:\WINDOWS\krag.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcj5jj0e3k0 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcj5jj0e3k0\\ deleted successfully.
File/Folder C:\WINDOWS\system32\lphcj5jj0e3k0.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcn5jj0e3k0 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcn5jj0e3k0\\ deleted successfully.
File/Folder C:\Program Files\rhcn5jj0e3k0 not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15be51ca-1f13-11dc-9659-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15be51ca-1f13-11dc-9659-001617cac78d}\\ deleted successfully.
File/Folder E:\Knight.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d434807-a6c3-11db-9481-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d434807-a6c3-11db-9481-001617cac78d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aeb0488-aaf2-11dc-9877-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2aeb0488-aaf2-11dc-9877-001617cac78d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{652a2473-2d3c-11dd-9a13-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{652a2473-2d3c-11dd-9a13-001617cac78d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2afa252-aacc-11db-948e-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2afa252-aacc-11db-948e-001617cac78d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9cae954-45e3-11dc-96f5-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9cae954-45e3-11dc-96f5-001617cac78d}\\ deleted successfully.
File/Folder E:\Recycled\ctfmon.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b994fc66-7997-11dc-97bf-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b994fc66-7997-11dc-97bf-001617cac78d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5137c90-0256-11dd-9991-001617cac78d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5137c90-0256-11dd-9991-001617cac78d}\\ deleted successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFD751.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_70.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFD790.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF161A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF1621.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08042008_002524

Files moved on Reboot...
C:\DOCUME~1\User\LOCALS~1\Temp\~DFD751.tmp moved successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_70.dat not found!
C:\DOCUME~1\User\LOCALS~1\Temp\~DFD790.tmp moved successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF161A.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF1621.tmp not found!







Deckard's System Scanner v20071014.68
Run by User on 2008-08-04 00:28:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:28:50, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Fab%20Fashion/Images/stg_drm.ocx
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://aolsvc.aol.co...eb.1.0.0.13.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} (Nps Control) - http://kr.gameguard..../tyscan/nps.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105w.bay105...es/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Wedding%20Dash/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 9710 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-03 22:11:05 0 d-------- C:\WINDOWS\ERUNT
2008-08-03 20:21:01 0 d-------- C:\Program Files\Trend Micro
2008-08-03 18:30:11 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 16:18:28 0 d-------- C:\Documents and Settings\User\Application Data\TmpRecentIcons
2008-07-29 18:32:02 0 d-------- C:\Documents and Settings\Guest 2\Application Data\U3
2008-07-26 13:33:08 0 d-------- C:\Documents and Settings\User\Application Data\Jane s Hotel Family Hero
2008-07-25 23:52:49 0 d-------- C:\Program Files\Garena
2008-07-25 23:52:12 0 d-------- C:\Documents and Settings\User\Application Data\InstallShield
2008-07-25 23:29:26 64313 --a------ C:\WINDOWS\War3Unin.dat
2008-07-25 23:29:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-25 23:29:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-25 23:25:20 0 d-------- C:\Program Files\Warcraft III
2008-07-23 23:11:46 0 d-------- C:\Program Files\Democracy
2008-07-12 22:20:59 0 d-------- C:\Documents and Settings\User\Application Data\GamesCafe
2008-07-12 22:16:55 0 d-------- C:\Program Files\CLUE Classic
2008-07-12 11:41:16 0 d-------- C:\Program Files\Web Publish
2008-07-11 23:41:12 0 d-------- C:\My Installations
2008-07-11 23:41:11 143360 --a------ C:\WINDOWS\system32\isdbgi51.dll <Not Verified; InstallShield Software Corporation; InstallShield®>
2008-07-11 22:51:36 140048 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 135168 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-07-11 22:51:36 42496 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:36 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-07-11 22:51:30 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-07-11 22:51:29 147456 --a------ C:\WINDOWS\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-07-11 22:51:29 207872 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:29 73728 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft JDBC Bridge>
2008-07-11 22:51:29 843024 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 155920 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 14848 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 361744 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 32528 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:28 154112 --a------ C:\WINDOWS\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:27 209168 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:26 44544 --a------ C:\WINDOWS\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-11 22:51:25 103424 --a------ C:\WINDOWS\extrac32.exe <Not Verified; Microsoft Corporation; Microsoft ® CAB File Extract Utility>
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Saved Games
2008-07-08 22:20:31 0 d-------- C:\Documents and Settings\Guest 2\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\User\Application Data\Flood Light Games
2008-07-07 19:19:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Flood Light Games


-- Find3M Report ---------------------------------------------------------------

2008-07-17 23:59:54 212 --a------ C:\WINDOWS\recover.reg
2008-06-22 23:26:40 0 d-------- C:\Documents and Settings\User\Application Data\Sandlot Games
2008-06-22 22:22:34 0 d-------- C:\Program Files\GameHouse
2008-06-22 17:38:00 0 d-------- C:\Documents and Settings\User\Application Data\dvdcss
2008-06-21 14:57:20 0 d-------- C:\Program Files\QuickFix
2008-06-20 22:02:48 0 d-------- C:\Program Files\BFG
2008-06-20 21:58:56 0 d-------- C:\Program Files\Chocolatier
2008-06-20 21:19:46 0 d-------- C:\Program Files\ReflexiveArcade


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/30/2008 12:22]
"SetRefresh"="C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe" [11/20/2003 18:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/30/2007 01:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/09/2003 02:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 17:43]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 18:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 12:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"




-- End of Deckard's System Scanner: finished at 2008-08-04 00:29:12 ------------
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
KASPERSKY ONLINE SCANNER REPORT
Monday, August 04, 2008 02:32:07
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/08/2008
Kaspersky Anti-Virus database records: 1048675


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 112874
Number of viruses found 7
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 01:14:43

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DF50B1.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_880.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DFAE3F.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DF2B63.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DF2B77.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Desktop\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\ntuser.dat Object is locked skipped

C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ww skipped

C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe NSIS: infected - 3 skipped

C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped

C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_User.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_User.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_User.log Object is locked skipped

C:\Program Files\LimeWire\root\koa'uka\boom shi koauka.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Program Files\LimeWire\root\koa'uka\never stop koauka.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\System Volume Information\_restore{D31A19C3-5149-41B9-858A-F03F97910FDA}\RP1\A0002042.exe Infected: Trojan-Downloader.Win32.Small.zwt skipped

C:\System Volume Information\_restore{D31A19C3-5149-41B9-858A-F03F97910FDA}\RP1\A0002133.reg Infected: Trojan.WinREG.NoOll.b skipped

C:\System Volume Information\_restore{D31A19C3-5149-41B9-858A-F03F97910FDA}\RP2\change.log Object is locked skipped

C:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\SDFix\backups\backupreg.zip/backupreg/HKCU_WINDOWS_Policy.reg Infected: Trojan.WinREG.NoOll.b skipped

C:\SDFix\backups\backupreg.zip ZIP: infected - 1 skipped

C:\Deckard\System Scanner\20080803233949\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

Scan process completed.

Attached Files


  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe
    C:\Program Files\LimeWire\root\koa'uka\boom shi koauka.mp3
    C:\Program Files\LimeWire\root\koa'uka\never stop koauka.mp3
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    C:\Program Files\LimeWire\root
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.
  • 0

#12
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Explorer killed successfully
C:\Documents and Settings\tumbong\Local Settings\Temp\aupd.exe moved successfully.
C:\Program Files\LimeWire\root\koa'uka\boom shi koauka.mp3 moved successfully.
C:\Program Files\LimeWire\root\koa'uka\never stop koauka.mp3 moved successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF7D7E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF3397.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_808.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF5F0A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF5F1C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF23B9.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DFD97.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF65EE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF8E2D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~WRD0002.doc scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\~DF6C79.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08042008_202025

Files moved on Reboot...
C:\DOCUME~1\User\LOCALS~1\Temp\~DF7D7E.tmp moved successfully.
C:\DOCUME~1\User\LOCALS~1\Temp\~DF3397.tmp moved successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_808.dat not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF5F0A.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF5F1C.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF23B9.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DFD97.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF65EE.tmp not found!
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF8E2D.tmp not found!
C:\DOCUME~1\User\LOCALS~1\Temp\~WRD0002.doc moved successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\~DF6C79.tmp not found!






DirLook.exe by jpshortstuff
Log created at 20:28:04 on Mon 08/04/2008

==============================

Contents of "C:\Program Files\LimeWire\root" (inc. hidden/system files/folders)

---FOLDERS---

collie buddz (created: 06/11/2008 14:00) d--------
inner circle (created: 06/11/2008 14:01) d--------
kilat (created: 06/11/2008 14:42) d--------
koa'uka (created: 06/11/2008 14:02) d--------
magnet10 (created: 07/21/2008 17:48) d--------
oshen (created: 06/11/2008 14:00) d--------
sizzla (created: 06/11/2008 14:27) d--------

---FILES---

02_-_MCoy_of_Orange_&_Lemons_-_Salawikain_(Feat._The_Spaceflower_Show).mp3 (3995776 bytes, created: 06/12/2008 14:55) --a------
Brownman Revival - Muli.mp3 (8202027 bytes, created: 06/12/2008 15:16) --a------
jeepney joyride_ lilim.mp3 (4685305 bytes, created: 06/12/2008 14:53) --a------
Junior Kilat - Hoy Agta!.mp3 (3571483 bytes, created: 06/11/2008 14:33) --a------
Maxi Priest - Wild World.mp3 (3483344 bytes, created: 06/11/2008 13:29) --a------
Reggae-Apache Indian - Ragga Muffin Girl.mp3 (4594466 bytes, created: 06/11/2008 13:28) --a------

==============================

=EOF=




You know what's weird? When the computer rebooted, it asked me something about rebooting through CD and then I had to press any key. And then it said that Windows had to check the disks for inconsistencies, but even before it started it just went straight to logging in. Was that just some kind of glitch and not a big problem?
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Sounds like a glitch

Nearly done

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#14
mitch_just_is

mitch_just_is

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Malwarebytes' Anti-Malware 1.24
Database version: 1023
Windows 5.1.2600 Service Pack 2

9:53:36 PM 8/4/2008
mbam-log-8-4-2008 (21-53-36).txt

Scan type: Quick Scan
Objects scanned: 83931
Time elapsed: 21 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcn5jj0e3k0 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\DivoCodec (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whAgent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\tumbong\Local Settings\Temp\CmdLineExt02.dll (Trojan.Agent) -> Quarantined and deleted successfully.



Oh wow! My C drive is back in My Computer!!! And by the way, since I already downloaded Malwarebytes and HiJackThis, should I delete AVG? It takes a chunk of MB and it really didn't do anything when my PC was attacked by Malware.
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I would keep AVG to be safe

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP