Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware+Trojan+Worms help please [RESOLVED]


  • This topic is locked This topic is locked

#1
Aznscene

Aznscene

    New Member

  • Member
  • Pip
  • 6 posts
I have found multiple files while scanning that has viruses and trojans but Avast, and spybot hasn't been able to remove them. I googled some stuff and iv tried a lot of things but they still seem there. I have recently removed some stuff on AV2009 but the pop up still seems to be showing.
This is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:10 PM, on 07/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozila Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [2629165f] rundll32.exe "C:\WINDOWS\system32\vmhqsusf.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5362 bytes
  • 0

Advertisements


#2
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene, and welcome to Geeks to go. I'm currently reading over your log right now and I'll do my best to try to get your system clean. :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.
  • 0

#3
Aznscene

Aznscene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank your for looking at this.
  • 0

#4
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene,
If you have any questions please feel free to ask. :)

STEP 1
I do not see a Firewall on your computer. A firewall can help protect you from Hackers and some types of Malware. I recommend you download a firewall. Here are a few to chose from(all are free).
Comodo
Zone Alarm
OutPost
Out of these I would recommend Comodo, please only install one firewall at a time. If you need any help installing/using one of these firewalls please let me know.

STEP 2
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

STEP 3
Please reopen HijackThis and click on Do a system scan only.And put a check next to the following line.

O4 - HKLM\..\Run: [2629165f] rundll32.exe "C:\WINDOWS\system32\vmhqsusf.dll",b

Once you have the check in that line please make sure all open windows are closed(keep HijackThis open) and click fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click yes. After you have fixed that line you can close HijackThis.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\vmhqsusf.dll
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 4
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
~~~~~~~~~
In your next reply please have these logs.
The VundoFix log
The OTMoveIt2 log
And the DSS main.txt and extra.txt
  • 0

#5
Aznscene

Aznscene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
VundoFix did not find anything there for there was no logs.

OTMoveIt2 log:

Explorer killed successfully
File/Folder C:\WINDOWS\system32\vmhqsusf.dll not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\etilqs_FggcH3VdStCXl8ECvyhu scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFF647.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFF655.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF8F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFD9.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_59c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08082008_214928

Files moved on Reboot...
File C:\DOCUME~1\Zach\LOCALS~1\Temp\etilqs_FggcH3VdStCXl8ECvyhu not found!
File C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFF647.tmp not found!
File C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFF655.tmp not found!
File C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF8F.tmp not found!
File C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFD9.tmp not found!
C:\WINDOWS\temp\Perflib_Perfdata_59c.dat moved successfully.
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!


DSS Main.tet:

Deckard's System Scanner v20071014.68
Run by Zach on 2008-08-08 22:09:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-08-09 05:09:37 UTC - RP45 - Deckard's System Scanner Restore Point
3: 2008-08-07 19:57:07 UTC - RP44 - Removed MapleStory.
2: 2008-08-07 00:02:52 UTC - RP43 - Last known good configuration
1: 2008-08-07 00:02:46 UTC - RP42 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Zach.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:29 PM, on 08/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Zach\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Zach.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {542D4704-0929-4A52-8372-C19483ED1865} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: (no name) - {5A6135FA-23A1-4312-A5E9-4ADC33B251EA} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: (no name) - {5D4C357B-5DC9-417E-BB4A-3D2123BBCC37} - C:\WINDOWS\system32\wvUmjIba.dll (file missing)
O2 - BHO: (no name) - {68EA054A-189E-4AAF-B452-126F8C991E27} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: tuvSljHa - tuvSljHa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6839 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080806-154143-949 O4 - HKLM\..\Run: [SMrhc7fbj0ej3k] C:\Program Files\rhc7fbj0ej3k\rhc7fbj0ej3k.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-04 21:44:56 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 21:32:11 0 d-------- C:\VundoFix Backups
2008-08-08 21:30:41 0 d-------- C:\Program Files\AskSBar
2008-08-08 21:29:50 0 d-------- C:\Documents and Settings\Zach\Application Data\Comodo
2008-08-08 21:29:43 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-08 21:29:37 0 d-------- C:\Program Files\COMODO
2008-08-07 21:03:25 2048 --a------ C:\WINDOWS\system32\maspukwr.exe
2008-08-07 13:27:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-07 13:27:16 0 d-------- C:\Program Files\Security Task Manager
2008-08-07 12:39:07 0 d-------- C:\Program Files\Enigma Software Group
2008-08-06 21:00:51 2048 --a------ C:\WINDOWS\system32\usuigrwq.exe
2008-08-06 17:08:55 0 d-------- C:\Program Files\Alwil Software
2008-08-06 17:05:36 577523 --ahs---- C:\WINDOWS\system32\abIjmUvw.ini2
2008-08-06 16:47:41 0 d-------- C:\Documents and Settings\Zach\Application Data\Malwarebytes
2008-08-06 16:47:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 16:47:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 16:46:55 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-06 15:33:22 0 d-------- C:\Program Files\Trend Micro
2008-08-06 09:52:08 0 d--hs---- C:\FOUND.002
2008-08-06 00:25:09 0 d-------- C:\!KillBox
2008-08-05 22:41:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 21:07:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-05 21:01:55 91648 --a------ C:\WINDOWS\system32\psisdec.dll
2008-08-05 20:56:20 2048 --a------ C:\WINDOWS\system32\klcbafcr.exe
2008-08-04 21:44:33 0 d-------- C:\Program Files\Apple Software Update
2008-08-04 16:00:47 2048 --a------ C:\WINDOWS\system32\aeuwfdxh.exe
2008-08-03 13:26:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-03 13:26:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-03 13:23:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-08-03 12:45:38 0 d--hs---- C:\FOUND.001
2008-08-03 12:36:16 0 --a------ C:\WINDOWS\system32\taskkill.exe
2008-08-03 12:36:05 0 d--hs---- C:\Documents and Settings\Zach\!
2008-08-03 12:35:50 0 d--hs---- C:\WINDOWS\WmFjaA
2008-08-03 12:35:38 0 d-------- C:\WINDOWS\system32\hp1
2008-08-03 12:35:38 0 d-------- C:\WINDOWS\system32\bx2
2008-08-03 12:35:33 0 d-------- C:\Temp
2008-07-31 15:05:40 0 d-------- C:\Program Files\iPod
2008-07-29 17:06:22 4456448 --a------ C:\Documents and Settings\Zach\ntuser.dat
2008-07-29 00:27:59 0 d-------- C:\Program Files\Audacity
2008-07-25 11:58:53 0 d-------- C:\WINDOWS\Sun
2008-07-24 14:05:28 0 d--hs---- C:\FOUND.000
2008-07-16 11:21:14 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-16 00:17:09 0 d-------- C:\Documents and Settings\Zach\Application Data\Nexon
2008-07-16 00:07:43 53248 -ra------ C:\WINDOWS\system32\InstMed.exe
2008-07-16 00:05:52 0 d-------- C:\Program Files\Common Files\Logitech
2008-07-16 00:03:02 0 d-------- C:\Program Files\Logitech
2008-07-15 20:59:53 0 d-------- C:\Nexon
2008-07-15 19:01:24 0 d-------- C:\WINDOWS\system32\zk_sc dir
2008-07-15 18:18:05 0 d-------- C:\Documents and Settings\Zach\Application Data\WinRAR
2008-07-15 18:12:06 0 d-------- C:\Documents and Settings\Zach\Application Data\Hamachi
2008-07-15 18:11:05 0 d-------- C:\Program Files\Hamachi
2008-07-14 23:50:05 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-14 23:50:03 0 d-------- C:\Documents and Settings\Zach\Application Data\skypePM
2008-07-14 23:48:31 0 d-------- C:\Documents and Settings\Zach\Application Data\Skype
2008-07-14 23:47:31 0 d-------- C:\Program Files\Skype
2008-07-14 23:47:29 0 d-------- C:\Program Files\Common Files\Skype
2008-07-14 23:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-11 11:28:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-10 15:38:08 0 d-------- C:\Program Files\Bonjour
2008-07-10 12:46:21 0 d-------- C:\Program Files\Messenger Plus! Live
2008-07-10 12:19:15 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 06:03:08 0 d-------- C:\WINDOWS\peernet
2008-07-10 06:03:07 0 d-------- C:\WINDOWS\provisioning
2008-07-10 06:00:26 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-10 05:47:33 0 d-------- C:\WINDOWS\EHome
2008-07-10 05:32:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-10 05:23:30 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-10 05:23:27 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 05:22:33 0 d-------- C:\WINDOWS\system32\bits
2008-07-10 05:18:46 0 d---s---- C:\Documents and Settings\Zach\UserData
2008-07-10 05:17:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-10 05:17:50 0 d-------- C:\Documents and Settings\Zach\Application Data\Mozilla
2008-07-10 05:08:14 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-10 05:06:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-10 05:02:38 0 d-------- C:\WINDOWS\RegisteredPackages
2008-07-10 05:00:25 0 d-------- C:\Documents and Settings\Zach\Application Data\Sun
2008-07-10 05:00:08 0 d-------- C:\Program Files\Java
2008-07-10 05:00:07 0 d-------- C:\Program Files\Common Files\Java
2008-07-10 04:48:29 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-10 04:48:28 0 d-------- C:\Program Files\AvRack
2008-07-10 04:48:26 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-07-10 04:48:26 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-07-10 04:43:03 0 d-------- C:\WINDOWS\Drivers
2008-07-10 04:41:49 0 d-------- C:\Program Files\Intel
2008-07-10 04:41:15 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-10 04:41:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 04:41:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-10 04:41:04 0 -rahs---- C:\MSDOS.SYS
2008-07-10 04:41:04 0 -rahs---- C:\IO.SYS
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Templates
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Start Menu
2008-07-10 04:38:02 0 dr-h----- C:\Documents and Settings\Zach\SendTo
2008-07-10 04:38:02 0 dr-h----- C:\Documents and Settings\Zach\Recent
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\PrintHood
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\NetHood
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\My Documents
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Local Settings
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Favorites
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Desktop
2008-07-10 04:38:02 0 d---s---- C:\Documents and Settings\Zach\Cookies
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Application Data
2008-07-10 04:38:02 0 d-------- C:\Documents and Settings\Zach\Application Data\Identities
2008-07-10 04:37:54 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-07-10 04:37:51 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-10 04:20:36 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-07-10 04:20:33 0 d--hs---- C:\Recycled
2008-07-10 04:19:32 0 d--hs---- C:\WINDOWS\Installer
2008-07-09 23:47:35 0 d-------- C:\WINDOWS\system32\scripting
2008-07-09 23:47:29 0 d-------- C:\WINDOWS\l2schemas
2008-07-09 23:47:27 0 d-------- C:\WINDOWS\system32\en
2008-07-09 23:40:29 0 d-------- C:\WINDOWS\network diagnostic
2008-07-09 23:08:36 0 d-------- C:\Documents and Settings\Zach\Contacts
2008-07-09 22:44:29 0 d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2008-07-09 22:36:48 0 d-------- C:\Program Files\QuickTime
2008-07-09 22:30:46 0 d-------- C:\Documents and Settings\Zach\Application Data\Macromedia
2008-07-09 22:30:44 0 d-------- C:\Documents and Settings\Zach\Application Data\Adobe
2008-07-09 22:28:50 0 d-------- C:\Documents and Settings\Zach\Application Data\LimeWire
2008-07-09 22:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-09 22:23:09 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-09 22:22:48 0 d-------- C:\Program Files\Windows Live
2008-07-09 22:21:49 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-07-09 22:21:11 0 d-------- C:\Program Files\Common Files\Apple
2008-07-09 22:21:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-09 22:19:45 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-09 22:16:12 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-09 20:18:57 0 d--hs---- C:\System Volume Information
2008-07-09 20:18:48 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-07-09 20:18:48 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-07-09 20:18:48 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-07-09 20:18:48 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-07-09 20:18:47 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-07-09 20:18:47 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-07-09 20:18:47 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-07-09 20:18:47 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-07-09 20:15:22 0 d-------- C:\WINDOWS\system32\xircom
2008-07-09 20:15:22 0 d-------- C:\Program Files\microsoft frontpage
2008-07-09 20:15:18 524288 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-07-09 20:14:24 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-09 20:14:15 0 dr------- C:\WINDOWS\Offline Web Pages
2008-07-09 20:14:15 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-07-09 20:13:52 0 d-------- C:\WINDOWS\system32\DirectX
2008-07-09 20:13:39 0 d---s---- C:\WINDOWS\Tasks
2008-07-09 20:13:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-09 20:13:36 0 d-------- C:\WINDOWS\system32\Macromed
2008-07-09 20:13:36 0 d-------- C:\WINDOWS\srchasst
2008-07-09 20:13:36 0 d-------- C:\Program Files\Movie Maker
2008-07-09 20:13:34 0 d-------- C:\WINDOWS\system32\Restore
2008-07-09 20:13:34 0 d-------- C:\WINDOWS\PCHealth
2008-07-09 20:13:20 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-09 20:12:58 0 d-------- C:\WINDOWS\Registration
2008-07-09 20:12:27 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-09 20:12:27 0 d-------- C:\Program Files\Online Services
2008-07-09 20:12:24 0 d-------- C:\WINDOWS\system32\FxsTmp
2008-07-09 20:12:15 0 d-------- C:\Program Files\Messenger
2008-07-09 20:12:12 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-09 20:11:59 0 d-------- C:\Program Files\Windows NT
2008-07-09 20:11:58 0 d-------- C:\WINDOWS\system32\MsDtc
2008-07-09 20:11:58 0 d-------- C:\WINDOWS\system32\Com
2008-07-09 20:10:13 150528 --a------ C:\WINDOWS\system32\ptpusd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-09 20:08:37 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-09 20:08:35 0 dr------- C:\Program Files
2008-07-09 20:08:35 0 d-------- C:\Program Files\Common Files
2008-07-09 20:08:35 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-09 20:08:24 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-07-09 20:08:24 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-07-09 20:08:24 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-07-09 20:08:24 0 dr-h----- C:\Documents and Settings\Default User\Recent
2008-07-09 20:08:24 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-07-09 20:08:24 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-07-09 20:08:24 0 dr------- C:\Documents and Settings\Default User\My Documents
2008-07-09 20:08:24 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2008-07-09 20:08:24 0 dr------- C:\Documents and Settings\Default User\Favorites
2008-07-09 20:08:24 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-07-09 20:08:24 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-07-09 20:08:24 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-07-09 20:08:24 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-07-09 20:08:24 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-07-09 20:08:24 0 dr------- C:\Documents and Settings\All Users\Documents
2008-07-09 20:08:24 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-07-09 20:08:13 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-09 20:08:13 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-09 20:08:07 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-07-09 20:08:07 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-07-09 20:08:07 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-07-09 20:08:07 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-09 20:07:57 0 d-------- C:\Documents and Settings
2008-07-09 20:07:18 0 d-------- C:\DRV
2008-07-09 20:05:30 0 d-------- C:\WINDOWS
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\WinSxS
2008-07-09 20:05:30 0 dr------- C:\WINDOWS\Web
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\twain_32
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\wins
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\wbem
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\usmt
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\spool
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\ShellExt
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\Setup
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\ras
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\oobe
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\npp
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\mui
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\inetsrv
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\IME
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\icsxml
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\ias
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\export
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\drivers
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-07-09 20:05:30 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\dhcp
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\config
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\3076
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\2052
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1054
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1042
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1041
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1037
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1033
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1031
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1028
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system32\1025
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\system
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\security
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Resources
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\repair
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\mui
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\msapps
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\msagent
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Media
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\java
2008-07-09 20:05:30 0 d--h----- C:\WINDOWS\inf
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\ime
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Help
2008-07-09 20:05:30 0 dr--s---- C:\WINDOWS\Fonts
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Driver Cache
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Debug
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Cursors
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Connection Wizard
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\Config
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\AppPatch
2008-07-09 20:05:30 0 d-------- C:\WINDOWS\addins
2008-07-09 12:18:48 233472 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2008-07-09 12:18:47 233472 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-07-09 20:08:26 62 --ahs---- C:\Documents and Settings\Zach\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{542D4704-0929-4A52-8372-C19483ED1865}]
13/04/2008 05:12 PM 91648 --a------ C:\WINDOWS\system32\psisdec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6135FA-23A1-4312-A5E9-4ADC33B251EA}]
13/04/2008 05:12 PM 91648 --a------ C:\WINDOWS\system32\psisdec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D4C357B-5DC9-417E-BB4A-3D2123BBCC37}]
C:\WINDOWS\system32\wvUmjIba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68EA054A-189E-4AAF-B452-126F8C991E27}]
13/04/2008 05:12 PM 91648 --a------ C:\WINDOWS\system32\psisdec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
08/08/2008 09:30 PM 262144 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [08/08/2008 09:30 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [27/08/2003 11:32 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [27/08/2003 11:19 PM]
"SoundMan"="SOUNDMAN.EXE" [13/11/2003 06:23 PM C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [03/07/2008 02:23 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 06:32 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [28/08/2002 09:39 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [28/08/2002 09:39 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [28/08/2002 09:39 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19/07/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 03:14 PM]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [30/07/2008 10:47 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 07:38 AM]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [08/08/2008 09:30 PM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [08/08/2008 09:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/05/2008 03:54 PM]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [08/06/2005 02:44 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSljHa]
tuvSljHa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUmjIba

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd44bbd-4ed1-11dd-a2e8-00016c2aeab8}]
AutoRun\command- F:\Setup.exe

*Newly Created Service* - CMDAGENT
*Newly Created Service* - CMDGUARD
*Newly Created Service* - CMDHLP
*Newly Created Service* - INSPECT



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-08 22:18:50 ------------

DSS Extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.60GHz
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 247.48 MiB / 61.46 MiB
Pagefile Memory (total/avail): 606.86 MiB / 307.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.93 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 29.98 GiB total, 15.55 GiB free.
D: is Fixed (NTFS) - 44.53 GiB total, 42.79 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 30 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 44.53 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Zach\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OEM-YHH2CTJDNKT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Zach
LOGONSERVER=\\OEM-YHH2CTJDNKT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Zach\LOCALS~1\Temp
TMP=C:\DOCUME~1\Zach\LOCALS~1\Temp
USERDOMAIN=OEM-YHH2CTJDNKT
USERNAME=Zach
USERPROFILE=C:\Documents and Settings\Zach
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Zach (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
COMODO SafeSurf --> C:\Program Files\COMODO\SafeSurf\cssconfg.exe -u
Guitar Pro 5.2 --> "D:\Program Files\Guitar Pro 5\unins000.exe"
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LADSPA_plugins-win-0.4.15 --> "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
LimeWire 4.18.3 --> "D:\Program Files\LimeWire\uninstall.exe"
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory --> MsiExec.exe /I{7A512A34-F4E8-43C4-BD80-43A022B31BF6}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> D:\Program Files\Mozila Firefox\uninstall\helper.exe
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.3.1 TX --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type416 / Error
Event Submitted/Written: 08/08/2008 10:13:04 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type415 / Error
Event Submitted/Written: 08/08/2008 10:13:03 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type414 / Error
Event Submitted/Written: 08/08/2008 10:13:03 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type413 / Error
Event Submitted/Written: 08/08/2008 10:13:03 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type412 / Error
Event Submitted/Written: 08/08/2008 10:13:03 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type517 / Error
Event Submitted/Written: 08/07/2008 00:55:43 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type516 / Error
Event Submitted/Written: 08/07/2008 00:55:43 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type515 / Error
Event Submitted/Written: 08/07/2008 11:15:06 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register with DCOM within the required timeout.

Event Record #/Type514 / Error
Event Submitted/Written: 08/07/2008 11:14:19 AM / 08/07/2008 11:14:20 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register with DCOM within the required timeout.

Event Record #/Type510 / Error
Event Submitted/Written: 08/06/2008 11:54:29 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-08-08 22:18:50 ------------
  • 0

#6
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene,

STEP 1
I see that you have a P2P(Peer to Peer) program on your computer. While the programs it self may be safe the files you get can be illegal and can also have malware in them also. I recommend you remove the following program.(if you do not want to remove the P2P program please skip this step and go to the next one)

Please click start>control panel>add/remove programs. And remove the following program(if present)Also remove any other P2P programs you may have.
LimeWire

Once you have done that please remove following folders(if present)
C:\Documents and Settings\Zach\Application Data\LimeWire
D:\Program Files\LimeWire

STEP 2
Please reopen HijackThis and click on Do a system scan only.And put a check next to the following lines.

O2 - BHO: (no name) - {542D4704-0929-4A52-8372-C19483ED1865} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: (no name) - {5A6135FA-23A1-4312-A5E9-4ADC33B251EA} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: (no name) - {5D4C357B-5DC9-417E-BB4A-3D2123BBCC37} - C:\WINDOWS\system32\wvUmjIba.dll (file missing)
O2 - BHO: (no name) - {68EA054A-189E-4AAF-B452-126F8C991E27} - C:\WINDOWS\system32\psisdec.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O20 - Winlogon Notify: tuvSljHa - tuvSljHa.dll (file missing)

Once you have the checks in those lines please make sure all open windows are closed(keep HijackThis open) and click fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click yes. After you have fixed those lines you can close HijackThis.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\maspukwr.exe
    C:\WINDOWS\system32\usuigrwq.exe
    C:\WINDOWS\system32\abIjmUvw.ini2
    C:\WINDOWS\system32\klcbafcr.exe
    C:\WINDOWS\system32\aeuwfdxh.exe
    C:\WINDOWS\system32\psisdec.dll
    C:\Documents and Settings\Zach\!
    C:\WINDOWS\WmFjaA
    C:\WINDOWS\system32\hp1
    C:\WINDOWS\system32\bx2
    C:\WINDOWS\system32\zk_sc dir
    C:\FOUND.000
    C:\FOUND.001
    C:\FOUND.002
    F:\Setup.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd44bbd-4ed1-11dd-a2e8-00016c2aeab8}
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP 3
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Then double click on the fix.reg file, when it prompts to merge click "Yes".

STEP 4
Click on Start>Run. And then copy and paste the following in bold in the open window and then click OK.
"%userprofile%\desktop\dss.exe" /daft
Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

Next please rescan with DSS. To do this please double click on dss.exe and follow any prompts. When it is done it will open up one notepad main.txt. Please copy/paste the text in main.txt in your next reply.
~~~~~~~~~~~
In your next reply please have these logs.
The OTMoveIt2 log
And the DSS main.txt
  • 0

#7
Aznscene

Aznscene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OTMoveIt2 log:

Explorer killed successfully
C:\WINDOWS\system32\maspukwr.exe moved successfully.
C:\WINDOWS\system32\usuigrwq.exe moved successfully.
C:\WINDOWS\system32\abIjmUvw.ini2 moved successfully.
C:\WINDOWS\system32\klcbafcr.exe moved successfully.
C:\WINDOWS\system32\aeuwfdxh.exe moved successfully.
File/Folder C:\WINDOWS\system32\psisdec.dll not found.
C:\Documents and Settings\Zach\! moved successfully.
C:\WINDOWS\WmFjaA moved successfully.
C:\WINDOWS\system32\hp1 moved successfully.
C:\WINDOWS\system32\bx2 moved successfully.
C:\WINDOWS\system32\zk_sc dir moved successfully.
C:\FOUND.000 moved successfully.
C:\FOUND.001 moved successfully.
C:\FOUND.002 moved successfully.
File/Folder F:\Setup.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd44bbd-4ed1-11dd-a2e8-00016c2aeab8} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd44bbd-4ed1-11dd-a2e8-00016c2aeab8}\\ deleted successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFDECD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFDFC2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF2156.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF22E1.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\etilqs_QJxxChv96dTm9EuKxUir scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08102008_113800

Files moved on Reboot...
C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFDECD.tmp moved successfully.
C:\DOCUME~1\Zach\LOCALS~1\Temp\~DFDFC2.tmp moved successfully.
C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF2156.tmp moved successfully.
C:\DOCUME~1\Zach\LOCALS~1\Temp\~DF22E1.tmp moved successfully.
File move failed. C:\DOCUME~1\Zach\LOCALS~1\Temp\etilqs_QJxxChv96dTm9EuKxUir scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_5f4.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

DSS main.txt:

Deckard's System Scanner v20071014.68
Run by Zach on 2008-08-10 11:53:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Zach.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:57 AM, on 10/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hamachi\hamachi.exe
D:\Program Files\Mozila Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Zach\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Zach.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6282 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-08 21:32:11 0 d-------- C:\VundoFix Backups
2008-08-08 21:30:41 0 d-------- C:\Program Files\AskSBar
2008-08-08 21:29:50 0 d-------- C:\Documents and Settings\Zach\Application Data\Comodo
2008-08-08 21:29:43 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-08-08 21:29:37 0 d-------- C:\Program Files\COMODO
2008-08-07 13:27:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-07 13:27:16 0 d-------- C:\Program Files\Security Task Manager
2008-08-07 12:39:07 0 d-------- C:\Program Files\Enigma Software Group
2008-08-06 17:08:55 0 d-------- C:\Program Files\Alwil Software
2008-08-06 16:47:41 0 d-------- C:\Documents and Settings\Zach\Application Data\Malwarebytes
2008-08-06 16:47:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 16:47:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 16:46:55 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-06 15:33:22 0 d-------- C:\Program Files\Trend Micro
2008-08-06 00:25:09 0 d-------- C:\!KillBox
2008-08-05 22:41:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 21:07:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 21:44:33 0 d-------- C:\Program Files\Apple Software Update
2008-08-03 13:26:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-03 13:26:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-03 13:23:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-08-03 12:36:16 0 --a------ C:\WINDOWS\system32\taskkill.exe
2008-08-03 12:35:33 0 d-------- C:\Temp
2008-07-31 15:05:40 0 d-------- C:\Program Files\iPod
2008-07-29 17:06:22 4456448 --a------ C:\Documents and Settings\Zach\ntuser.dat
2008-07-29 00:27:59 0 d-------- C:\Program Files\Audacity
2008-07-25 11:58:53 0 d-------- C:\WINDOWS\Sun
2008-07-16 11:21:14 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-16 00:17:09 0 d-------- C:\Documents and Settings\Zach\Application Data\Nexon
2008-07-16 00:07:43 53248 -ra------ C:\WINDOWS\system32\InstMed.exe
2008-07-16 00:05:52 0 d-------- C:\Program Files\Common Files\Logitech
2008-07-16 00:03:02 0 d-------- C:\Program Files\Logitech
2008-07-15 20:59:53 0 d-------- C:\Nexon
2008-07-15 18:18:05 0 d-------- C:\Documents and Settings\Zach\Application Data\WinRAR
2008-07-15 18:12:06 0 d-------- C:\Documents and Settings\Zach\Application Data\Hamachi
2008-07-15 18:11:05 0 d-------- C:\Program Files\Hamachi
2008-07-14 23:50:05 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-14 23:50:03 0 d-------- C:\Documents and Settings\Zach\Application Data\skypePM
2008-07-14 23:48:31 0 d-------- C:\Documents and Settings\Zach\Application Data\Skype
2008-07-14 23:47:31 0 d-------- C:\Program Files\Skype
2008-07-14 23:47:29 0 d-------- C:\Program Files\Common Files\Skype
2008-07-14 23:47:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-11 11:28:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-10 15:38:08 0 d-------- C:\Program Files\Bonjour
2008-07-10 12:46:21 0 d-------- C:\Program Files\Messenger Plus! Live
2008-07-10 12:19:15 0 d-------- C:\WINDOWS\Prefetch
2008-07-10 06:03:08 0 d-------- C:\WINDOWS\peernet
2008-07-10 06:03:07 0 d-------- C:\WINDOWS\provisioning
2008-07-10 06:00:26 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-10 05:47:33 0 d-------- C:\WINDOWS\EHome
2008-07-10 05:32:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-10 05:23:30 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-10 05:23:27 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-10 05:22:33 0 d-------- C:\WINDOWS\system32\bits
2008-07-10 05:18:46 0 d---s---- C:\Documents and Settings\Zach\UserData
2008-07-10 05:17:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-10 05:17:50 0 d-------- C:\Documents and Settings\Zach\Application Data\Mozilla
2008-07-10 05:08:14 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-10 05:06:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-07-10 05:02:38 0 d-------- C:\WINDOWS\RegisteredPackages
2008-07-10 05:00:25 0 d-------- C:\Documents and Settings\Zach\Application Data\Sun
2008-07-10 05:00:08 0 d-------- C:\Program Files\Java
2008-07-10 05:00:07 0 d-------- C:\Program Files\Common Files\Java
2008-07-10 04:48:29 0 d-------- C:\Program Files\Realtek Sound Manager
2008-07-10 04:48:28 0 d-------- C:\Program Files\AvRack
2008-07-10 04:48:26 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-07-10 04:48:26 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-07-10 04:43:03 0 d-------- C:\WINDOWS\Drivers
2008-07-10 04:41:49 0 d-------- C:\Program Files\Intel
2008-07-10 04:41:15 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-10 04:41:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 04:41:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-10 04:41:04 0 -rahs---- C:\MSDOS.SYS
2008-07-10 04:41:04 0 -rahs---- C:\IO.SYS
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Templates
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Start Menu
2008-07-10 04:38:02 0 dr-h----- C:\Documents and Settings\Zach\SendTo
2008-07-10 04:38:02 0 dr-h----- C:\Documents and Settings\Zach\Recent
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\PrintHood
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\NetHood
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\My Documents
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Local Settings
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Favorites
2008-07-10 04:38:02 0 dr------- C:\Documents and Settings\Zach\Desktop
2008-07-10 04:38:02 0 d---s---- C:\Documents and Settings\Zach\Cookies
2008-07-10 04:38:02 0 d--h----- C:\Documents and Settings\Zach\Application Data
2008-07-10 04:38:02 0 d-------- C:\Documents and Settings\Zach\Application Data\Identities
2008-07-10 04:37:54 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-07-10 04:37:51 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-07-10 04:20:36 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-07-10 04:20:33 0 d--hs---- C:\Recycled
2008-07-10 04:19:32 0 d--hs---- C:\WINDOWS\Installer


-- Find3M Report ---------------------------------------------------------------

2008-07-09 22:44:30 0 d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2008-07-09 22:36:50 0 d-------- C:\Program Files\QuickTime
2008-07-09 22:30:48 0 d-------- C:\Documents and Settings\Zach\Application Data\Macromedia
2008-07-09 22:30:46 0 d-------- C:\Documents and Settings\Zach\Application Data\Adobe
2008-07-09 22:28:52 0 d-------- C:\Documents and Settings\Zach\Application Data\LimeWire
2008-07-09 22:23:10 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-09 22:22:50 0 d-------- C:\Program Files\Windows Live
2008-07-09 22:21:12 0 d-------- C:\Program Files\Common Files\Apple
2008-07-09 20:15:24 0 d-------- C:\Program Files\microsoft frontpage
2008-07-09 20:13:40 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-09 20:13:38 0 d-------- C:\Program Files\Movie Maker
2008-07-09 20:13:22 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-09 20:12:28 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-09 20:12:28 0 d-------- C:\Program Files\Online Services
2008-07-09 20:12:16 0 d-------- C:\Program Files\Messenger
2008-07-09 20:12:14 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-09 20:12:00 0 d-------- C:\Program Files\Windows NT
2008-07-09 20:08:38 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-09 20:08:36 0 d-------- C:\Program Files\Common Files
2008-07-09 20:08:36 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-09 20:08:26 62 --ahs---- C:\Documents and Settings\Zach\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [08/08/2008 09:30 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [27/08/2003 11:32 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [27/08/2003 11:19 PM]
"SoundMan"="SOUNDMAN.EXE" [13/11/2003 06:23 PM C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [03/07/2008 02:23 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 06:32 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [28/08/2002 09:39 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [28/08/2002 09:39 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [28/08/2002 09:39 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19/07/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 03:14 PM]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [30/07/2008 10:47 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 07:38 AM]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [08/08/2008 09:30 PM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [08/08/2008 09:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/05/2008 03:54 PM]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [08/06/2005 02:44 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-10 12:00:23 ------------
  • 0

#8
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene,

STEP 1
Please reopen HijackThis and click on Do a system scan only. And put a check next to the following line.

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

Once you have the checks in that line please make sure all open windows are closed (keep HijackThis open) and click Fix checked on HijackThis. A box will open up asking if you want to fix the selected items, please click Yes. After you have fixed that line you can close HijackThis.

STEP 2
Please do an online scan with Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
~~~~~~~~~
In your next reply please have these logs/info.
The Kaspersky log
And please tell me how your computer is running
  • 0

#9
Aznscene

Aznscene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 23:00:07
Records in database: 1083545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 93564
Threat name: 5
Infected objects: 16590
Suspicious objects: 0
Duration of the scan: 04:12:11


File name / Threat name / Threats count
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP42\A0017918.sys Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP42\A0018951.sys Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019354.dll Infected: Trojan.Win32.Monder.duz 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019356.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cgu 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019359.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cgu 1

Everything after that is under
C:\_OTMoveIt\MovedFiles\08102008_113800\
looking like music files of artists in mp3 files; all i did not download.

My computer seems fine but firefox seems to spend an abnormal amount of time "looking up" the page/site i am trying to view. Other than that it seems fine.
  • 0

#10
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene,
Please delete this folder.
C:\_OTMoveIt

After doing that please reboot your computer.
After your computer loads back up please run another scan with Kaspersky.


Please do an online scan with Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • 0

#11
Aznscene

Aznscene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 13, 2008 22:07:25
Records in database: 1090592
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 100682
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 04:16:52


File name / Threat name / Threats count
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP42\A0017918.sys Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP42\A0018951.sys Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019354.dll Infected: Trojan.Win32.Monder.duz 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019356.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cgu 1
C:\System Volume Information\_restore{6D0247FF-9DA5-474D-999C-BA752BE4371D}\RP44\A0019359.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cgu 1

The selected area was scanned.
  • 0

#12
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Aznscene,
Your logs look clean. :)
Just a few more things to do before we are done.


  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Please remove any leftover tools we used to fix your computer.



Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP