Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis Log File - Still can't kill off these popups.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis Log File - Still can't kill off these popups.

Unread postby KlavoHunter » August 29th, 2007, 9:54 pm

Alright, I've run HijackThis previously and gotten rid of some of the more obvious bits of spy/adware, and also ran Spybot S&D and removed a bunch of stuff prior to posting this log.

However, I'm still the victim of (what I suspect to be) these failed popups that are being blocked in some way, probably by FireFox. They have the horribly annoying effect of deselecting whatever window I'm in, or even outright minimizing me when I'm trying to play StarCraft, for instance. It was far worse when I originally got it, with lots of ads, "Antivirus" software popup ads saying I could be infected, stuff attempting to download itself to my PC, and even audio ads playing through my speakers. I'm afraid I didn't document what all I had.

I suspect that I got this infection via a banner ad or something on ImageShack, or perhaps the image itself was somehow the carrier of this virus and such.



Anyways, here's the log.

Code: Select all
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:17:44 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Internet Explorer\womyv22011.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Doug\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {522143C4-30EC-44D3-2A96-17A80E66635C} - C:\Program Files\NetMeeting\baquzujyd667.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {690991BC-D0D4-4CB1-8159-549BFB2C2A66} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [womyv] C:\Program Files\Internet Explorer\womyv22011.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll,CreateProtectProc
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\fsozynocic.html

--
End of file - 6820 bytes
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm
Advertisement
Register to Remove

Unread postby KlavoHunter » August 29th, 2007, 11:42 pm

Okay, I ran AdAware and it appears that my problems are gone, here is the updated log.

Code: Select all
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:42:17 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Doug\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {522143C4-30EC-44D3-2A96-17A80E66635C} - C:\Program Files\NetMeeting\baquzujyd667.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {690991BC-D0D4-4CB1-8159-549BFB2C2A66} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll,CreateProtectProc
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\fsozynocic.html

--
End of file - 6631 bytes
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » August 30th, 2007, 4:23 pm

Hello KlavoHunter,

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Step #3

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


In your next post please include the following reports:
  • VundoFix report
  • dss scan reports main.txt and extra.txt
  • Blacklight report
Let me know how the things went.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby KlavoHunter » August 31st, 2007, 1:04 am

Step #1:

VundoFix failed to find any infected files, and thus produced no log.



Step #2:

main.txt
Code: Select all
Deckard's System Scanner v20070826.66
Run by Administrator on 2007-08-30 23:33:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
57: 2007-08-31 04:33:25 UTC - RP254 - Deckard's System Scanner Restore Point
56: 2007-08-30 02:01:25 UTC - RP253 - Installed Ad-Aware 2007
55: 2007-08-29 22:09:19 UTC - RP252 - Removed BioShock Demo
54: 2007-08-29 08:00:22 UTC - RP251 - Software Distribution Service 3.0
53: 2007-08-29 01:09:25 UTC - RP250 - System Checkpoint


-- First Restore Point -- 
1: 2007-06-02 21:54:56 UTC - RP198 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-30 23:35:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSVCCDA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Doug\Desktop\dss.exe

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {522143C4-30EC-44D3-2A96-17A80E66635C} - C:\Program Files\NetMeeting\baquzujyd667.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D5EC6097-60C7-4B4F-8B80-C8456B7B0388} - C:\Documents and Settings\Doug\Local Settings\Temp\awtqn.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKEY_LOCAL_MACHINE\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE
O4 - HKCU\..\RunOnce: [DefaultP17] P17Def.Exe
O4 - HKCU\..\RunOnce: [DAEMON Tools 4.08 Setup] "C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA.EXE


-- HijackThis Fixed Entries (C:\Documents and Settings\Doug\Desktop\backups\) --

backup-20070829-171926-389 O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsrngt.exe
backup-20070829-171926-932 O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\pwinpmdt.exe
backup-20070829-172536-755 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20070829-174741-646 O4 - HKCU\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\Doug\LOCALS~1\Temp\winaspsnet.exe" -nag 

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 xfilt (VIA SATA IDE Hot-plug Driver) - c:\winnt\system32\drivers\xfilt.sys <Not Verified; VIA Technologies,Inc; VIA filter driver>

S3 AMDPCI - c:\docume~1\admini~1\locals~1\temp\amdpci.sys (file missing)
S3 SoC PC-Camera Service (SoC PC-Camera) - c:\winnt\system32\drivers\pfc027.sys
S3 usbhub20 (USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\usbhub20.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S4 Nbf (NetBEUI Protocol) - c:\winnt\system32\drivers\nbf.sys (file missing)
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: Applied Networking Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: 
Device ID: ROOT\PARALLELCLASS\0000
Manufacturer: 
Name: 
PNP Device ID: ROOT\PARALLELCLASS\0000
Service: Parallel


-- Scheduled Tasks -------------------------------------------------------------

2007-08-13 16:25:00       284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-30 and 2007-08-30 -----------------------------

2007-08-30 23:33:12         0 d-------- \Deckard
2007-08-30 23:26:52         0 d-------- \VundoFix Backups
2007-08-29 21:01:27         0 d-------- C:\Program Files\Lavasoft
2007-08-29 21:01:27         0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 18:04:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-29 17:11:57         0 d--hs---- C:\WINNT\ZA
2007-08-29 17:11:53    192588 --a------ C:\WINNT\system32\pwinpmdt.exe
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\drvr2
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\cfig32
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\capcom
2007-08-29 17:11:49         0 d-------- C:\WINNT\system32\f02WtR
2007-08-21 18:34:04         0 d-------- C:\Documents and Settings\Doug\Application Data\Bioshock
2007-08-07 13:58:08      8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-08-07 13:56:58      9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-08-06 06:06:32         0 d-------- C:\Documents and Settings\Doug\Application Data\Yahoo! Messenger


-- Find3M Report ---------------------------------------------------------------

2007-08-30 17:05:42 1610612736 --ahs---- \pagefile.sys
2007-08-30 04:22:25         0 d-------- C:\Program Files\Trillian
2007-08-30 00:58:05         0 d-------- C:\Program Files\Starcraft
2007-08-29 21:00:56         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 18:05:44         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-27 22:47:08         0 d-------- C:\Program Files\RealVNC
2007-07-22 15:14:17         0 d-------- C:\Program Files\Winamp
2007-07-21 23:36:36         0 d-------- C:\Program Files\CyberLink
2007-07-21 23:11:02         0 d-------- C:\Program Files\Spring
2007-07-21 21:00:59         0 d-------- C:\Program Files\DivX
2007-07-16 17:31:46         0 d-------- C:\Program Files\Skype
2007-07-16 17:31:43         0 d-------- C:\Program Files\Common Files\Skype
2007-07-16 17:31:42         0 d-a------ C:\Program Files\Common Files
2007-07-09 14:05:58    196608 --a------ C:\WINNT\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 14:05:54    802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:28     12288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2007-06-03 21:27:36    729088 --a------ C:\WINNT\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-03 21:03:51       759 --a------ C:\WINNT\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522143C4-30EC-44D3-2A96-17A80E66635C}]
08/29/2007 08:01 PM	70144	--a------	C:\Program Files\NetMeeting\baquzujyd667.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5EC6097-60C7-4B4F-8B80-C8456B7B0388}]
08/29/2007 05:16 PM	298080	--a------	C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02/28/2006 07:00 AM C:\WINNT\system32\mobsync.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 11:12 AM]
"P17Helper"="P17.dll" [03/17/2006 04:11 PM C:\WINNT\system32\P17.DLL]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [02/15/2005 04:10 PM]
"UpdReg"="C:\WINNT\UpdReg.EXE" [05/11/2000 01:00 AM]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"CTXFIREG"="CTxfiReg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 05:22 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"WISE-FTP Task Planner"="C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" [09/22/2006 11:54 AM]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [02/28/2006 07:00 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DefaultP17MIDI"=MIDIDEF.EXE
"DefaultP17"=P17Def.Exe
"DAEMON Tools 4.08 Setup"="C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AOLRebootNeeded"=regsvr32.exe /s

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-08-30 23:36:12 ------------



extra.txt
Code: Select all
Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3400+
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1023.48 MiB / 589.2 MiB
Pagefile Memory (total/avail): 2660.21 MiB / 2340.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.9 GiB total, 10.68 GiB free. 
D: is Fixed (FAT32) - 93.13 GiB total, 3.58 GiB free. 
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-55MHB0 - 149.05 GiB - 2 partitions
  \PARTITION0 (bootable) - Installable File System - 55.9 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 93.15 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINNT\\system32\\sessmgr.exe"="C:\\WINNT\\system32\\sessmgr.exe:LocalSubNet:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"D:\\Company of Heroes\\RelicCOH.exe"="D:\\Company of Heroes\\RelicCOH.exe:*:Enabled:Company of Heroes"
"C:\\Program Files\\Defcon\\defcon.exe"="C:\\Program Files\\Defcon\\defcon.exe:*:Enabled:Defcon"
"D:\\UT2004\\System\\UT2004.exe"="D:\\UT2004\\System\\UT2004.exe:*:Enabled:Play UT2004"
"D:\\Gas Powered Games\\Beta\\Supreme Commander\\bin\\SupremeCommander.exe"="D:\\Gas Powered Games\\Beta\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander Beta "
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"="C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe:*:Enabled:FEAR Combat"
"C:\\Program Files\\THQ\\Gas Powered Games\\Beta\\Supreme Commander\\bin\\SupremeCommander.exe"="C:\\Program Files\\THQ\\Gas Powered Games\\Beta\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander Beta "
"D:\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="D:\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander"
"D:\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="D:\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"D:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="D:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"D:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="D:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"D:\\EA GAMES\\Battlefield 2\\BF2.exe"="D:\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ONE
ComSpec=C:\WINNT\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_07\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=ONE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Doug
admin [I](admin)[/I]
scott
Administrator [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program Files\Creative\SBAudigy\Program\SETUP.EXE" /S /U /W 
 --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
 --> C:\WINNT\UNNeroVision.exe /UNINSTALL
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9  /remove
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{22C97984-6A68-4140-872E-B2F5123A7387}
ATI Display Driver --> rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\Setup.exe" -l0x9 
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9  -removeonly
Battlefield Vietnam(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\Setup.exe" -l0x9 
Battlefield Vietnam: WW2 Mod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.exe" -l0x9 
Call of Duty(R) 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033 
Command & Conquer 3 Tiberium Warsâ„¢ Demo --> MsiExec.exe /I{39F7653F-3E82-4FED-9EE5-6B9253EA57E3}
Company of Heroes --> MsiExec.exe /X{BA801B94-C28D-46EE-B806-E1E021A3D519}
Creative EAX Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9  /remove
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9  /remove
Creative Speaker Settings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9  /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9  /remove
Defcon --> "C:\Program Files\Defcon\unins000.exe"
DesertCombat 0.7 --> C:\WINNT\iun6002.exe "C:\Program Files\EA GAMES\Battlefield 1942\DesertCombat.ini"
Device Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9  /remove
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FEARCombat --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75E607CF-7BAE-4B88-84B3-97F3DF44BA28}\setup.exe" -l0x9  /zU -removeonly
Freeciv 2.0.8 (GTK+ client) --> "C:\Program Files\Freeciv-2.0.8-gtk2\uninstall.exe"
GameJack 5 --> MsiExec.exe /I{7739C506-74AE-48CF-991B-AB5E35A927FC}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9  -removeonly
GPGNet --> MsiExec.exe /I{C194D333-B84A-4BB7-B35E-060732D98DC4}
GTK+ 2.10.6-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Hamachi 1.0.0.62 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.0 --> "C:\Documents and Settings\Doug\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINNT\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINNT\$NtUninstallKB902344$\spuninst\spuninst.exe"
IGN Download Manager 2.3.2 --> C:\Program Files\IGN\Download Manager\uninst.exe
Immortal Defense 1.0 --> C:\Program Files\Immortal Defense\uninst.exe
IrfanView (remove only) --> C:\IrfanView\iv_uninstall.exe
J2SE Development Kit 5.0 Update 10 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150100}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Java 2 Runtime Environment, SE v1.4.1_07 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA532E73-1BB7-11D8-9D6A-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
JGsoft EditPad Pro 5 DEMO 5.4.4 --> C:\WINNT\UnDeploy.exe "C:\Program Files\JGsoft\EditPadPro5\Deploy.log"
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
Medieval II Total War --> C:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINNT\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINNT\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2004 --> MsiExec.exe /X{CCCAFDDE-ECEC-4AE4-BD97-047076BBD4A9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero PhotoShow Express --> "C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\Uninstall.exe"
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NetBeans IDE 5.5 --> C:\Program Files\netbeans-5.5\_uninst\uninstaller.exe
PC Camera --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{10AA96A4-3A6D-430A-80B9-63B7CBEB308E} /l1033 
Porrasturvat - Stair Dismount --> C:\Program Files\Porrasturvat - Stair Dismount\uninstall.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe"  -uninstall
PunkBuster for Battlefield Vietnam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.exe" -l0x9 
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RedOctane Universal PS/PS2 Controller Adapter --> C:\PROGRA~1\REDOCT~1\UNWISE.EXE C:\PROGRA~1\REDOCT~1\INSTALL.LOG
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0003] --> "D:\S.T.A.L.K.E.R. - Shadow of Chernobyl\unins000.exe"
Skypeâ„¢ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sound Blaster Audigy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}\SETUP.EXE" -l0x9  /remove
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
Spring 0.75b2 --> C:\Program Files\Spring\uninst.exe
SpringSharp 2.1 --> MsiExec.exe /I{9BAA7BAA-B832-4EB0-8F12-AC6317452BA9}
Starcraft --> C:\WINNT\SCunin.exe C:\WINNT\SCunin.dat
StepMania (remove only) --> "C:\Program Files\StepMania\uninstall.exe"
Supreme Commander --> C:\Program Files\InstallShield Installation Information\{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}\setup.exe -runfromtemp -l0x0009 -removeonly
Supreme Commander Beta --> C:\Program Files\InstallShield Installation Information\{22877783-C9D3-4D59-A8A3-B29220A41492}\setup.exe -runfromtemp -l0x0009 -removeonly
The GIMP 2.2.14 --> "C:\Program Files\GIMP-2.0\unins000.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Unreal Tournament 2004 --> D:\UT2004\System\Setup.exe uninstall "UT2004"
USB Dual Vibration Joystick --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39A68007-970B-4A78-9519-64D4B13824F9}\setup.exe" -l0x9 
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169} 
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VNC Personal Edition P4.2.8 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINNT\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINNT\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WISE-FTP 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D21C9D95-DDBA-4962-899D-D1D350186555}\setup.exe" -l0x9  -removeonly
Yahoo! Install Manager --> C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1158 / Warning
Event Submitted/Written: 08/30/2007 05:06:04 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type1157 / Warning
Event Submitted/Written: 08/30/2007 05:06:04 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type1152 / Error
Event Submitted/Written: 08/30/2007 04:23:28 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application yahoomessenger.exe, version 8.1.0.209, faulting module mshtml.dll, version 6.0.2900.3157, fault address 0x0006c3dc.
Processing media-specific event for [yahoomessenger.exe!ws!]

Event Record #/Type1149 / Error
Event Submitted/Written: 08/29/2007 09:01:01 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Ad-Aware 2007 -- You must be a Local Administrator to install this software.

Event Record #/Type1147 / Warning
Event Submitted/Written: 08/29/2007 08:01:14 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3269 / Warning
Event Submitted/Written: 08/30/2007 05:05:42 PM / 08/30/2007 05:06:08 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom1 during a paging operation.

Event Record #/Type3258 / Error
Event Submitted/Written: 08/29/2007 11:03:04 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD USB Device.

Event Record #/Type3257 / Error
Event Submitted/Written: 08/29/2007 11:03:04 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library PNY USB 2.0 FD USB Device.

Event Record #/Type3237 / Warning
Event Submitted/Written: 08/29/2007 08:00:49 PM / 08/29/2007 08:01:15 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom1 during a paging operation.

Event Record #/Type3210 / Warning
Event Submitted/Written: 08/29/2007 05:22:14 PM / 08/29/2007 05:22:39 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom1 during a paging operation.



-- End of Deckard's System Scanner: finished at 2007-08-30 23:36:12 ------------





Step #3:

fsbl log
Code: Select all
08/30/07 23:46:35 [Info]: BlackLight Engine 1.0.64 initialized
08/30/07 23:46:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/30/07 23:46:35 [Note]: 7019 4
08/30/07 23:46:35 [Note]: 7005 0
08/30/07 23:46:47 [Note]: 7006 0
08/30/07 23:46:47 [Note]: 7027 1
08/30/07 23:46:47 [Note]: 7027 0
08/30/07 23:46:47 [Note]: 7026 0
08/30/07 23:46:47 [Note]: 7026 0
08/30/07 23:46:49 [Note]: FSRAW library version 1.7.1022
08/30/07 23:47:14 [Note]: 4013 48302
08/30/07 23:47:14 [Note]: 4020 12633 131072
08/30/07 23:47:14 [Note]: 4018 12633 131072
08/30/07 23:47:48 [Note]: 4013 48304
08/30/07 23:47:48 [Note]: 4020 12633 131072
08/30/07 23:47:48 [Note]: 4018 12633 131072
08/30/07 23:48:23 [Note]: 4013 48304
08/30/07 23:48:23 [Note]: 4020 12633 131072
08/30/07 23:48:23 [Note]: 4018 12633 131072
08/31/07 00:03:39 [Note]: 7007 0
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » August 31st, 2007, 4:40 pm

Hello KlavoHunter,

Step #1

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then Browse for this filename:
    C:\Program Files\NetMeeting\baquzujyd667.dll
Click on the Send File button.

Thank you!

Step #2

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Post back with new dss scan report.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby KlavoHunter » August 31st, 2007, 7:40 pm

Step #1:

baquzujyd667.dll submitted to bleepingcomputer.


Step #2:

Installed Avast.



Anything else?
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby KlavoHunter » August 31st, 2007, 8:47 pm

durr, i reed gud. :P


Here's my DSS report.


main.txt
Code: Select all
Deckard's System Scanner v20070826.66
Run by Administrator on 2007-08-31 19:42:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-31 19:45:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSVCCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Doug\Desktop\dss.exe

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D366E29-D132-42CF-952E-A95F46D71162} - C:\Documents and Settings\Doug\Local Settings\Temp\awtqn.dll
O2 - BHO: 0 - {522143C4-30EC-44D3-2A96-17A80E66635C} - C:\Program Files\NetMeeting\baquzujyd667.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKEY_LOCAL_MACHINE\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKEY_LOCAL_MACHINE\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE
O4 - HKCU\..\RunOnce: [DefaultP17] P17Def.Exe
O4 - HKCU\..\RunOnce: [DAEMON Tools 4.08 Setup] "C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA.EXE


-- Files created between 2007-07-31 and 2007-08-31 -----------------------------

2007-08-31 18:36:52         0 d-------- C:\Program Files\Alwil Software
2007-08-31 05:07:23         0 -----n--- C:\WINNT\system32\arpaytgb.dll
2007-08-31 05:06:55     75328 --a------ C:\WINNT\system32\fiywiybb.exe <Not Verified; ; DDC>
2007-08-30 23:33:12         0 d-------- \Deckard
2007-08-30 23:26:52         0 d-------- \VundoFix Backups
2007-08-29 21:01:27         0 d-------- C:\Program Files\Lavasoft
2007-08-29 21:01:27         0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 18:04:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-29 17:11:57         0 d--hs---- C:\WINNT\ZA
2007-08-29 17:11:53         0 --a------ C:\WINNT\system32\pwinpmdt.exe
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\drvr2
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\cfig32
2007-08-29 17:11:50         0 d-------- C:\WINNT\system32\capcom
2007-08-29 17:11:49         0 d-------- C:\WINNT\system32\f02WtR
2007-08-21 18:34:04         0 d-------- C:\Documents and Settings\Doug\Application Data\Bioshock
2007-08-07 13:58:08      8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-08-07 13:56:58      9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-08-06 06:06:32         0 d-------- C:\Documents and Settings\Doug\Application Data\Yahoo! Messenger


-- Find3M Report ---------------------------------------------------------------

2007-08-31 19:32:23 1610612736 --ahs---- \pagefile.sys
2007-08-31 05:49:01         0 d-------- C:\Program Files\mIRC
2007-08-30 04:22:25         0 d-------- C:\Program Files\Trillian
2007-08-30 00:58:05         0 d-------- C:\Program Files\Starcraft
2007-08-29 21:00:56         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 18:05:44         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-27 22:47:08         0 d-------- C:\Program Files\RealVNC
2007-07-22 15:14:17         0 d-------- C:\Program Files\Winamp
2007-07-21 23:36:36         0 d-------- C:\Program Files\CyberLink
2007-07-21 23:11:02         0 d-------- C:\Program Files\Spring
2007-07-21 21:00:59         0 d-------- C:\Program Files\DivX
2007-07-16 17:31:46         0 d-------- C:\Program Files\Skype
2007-07-16 17:31:43         0 d-------- C:\Program Files\Common Files\Skype
2007-07-16 17:31:42         0 d-a------ C:\Program Files\Common Files
2007-07-09 14:05:58    196608 --a------ C:\WINNT\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 14:05:54    802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:28     12288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2007-06-03 21:27:36    729088 --a------ C:\WINNT\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-03 21:03:51       759 --a------ C:\WINNT\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D366E29-D132-42CF-952E-A95F46D71162}]
08/29/2007 05:16 PM	298080	--a------	C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522143C4-30EC-44D3-2A96-17A80E66635C}]
			C:\Program Files\NetMeeting\baquzujyd667.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02/28/2006 07:00 AM C:\WINNT\system32\mobsync.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 11:12 AM]
"P17Helper"="P17.dll" [03/17/2006 04:11 PM C:\WINNT\system32\P17.DLL]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [02/15/2005 04:10 PM]
"UpdReg"="C:\WINNT\UpdReg.EXE" [05/11/2000 01:00 AM]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"CTXFIREG"="CTxfiReg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 05:22 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 05:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"WISE-FTP Task Planner"="C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" [09/22/2006 11:54 AM]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [02/28/2006 07:00 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DefaultP17MIDI"=MIDIDEF.EXE
"DefaultP17"=P17Def.Exe
"DAEMON Tools 4.08 Setup"="C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AOLRebootNeeded"=regsvr32.exe /s

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER



-- End of Deckard's System Scanner: finished at 2007-08-31 19:46:18 ------------




It didn't give me an extra.txt this time.
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » September 1st, 2007, 8:15 am

Hello,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER

Please follow the steps below exactly in the order they are written:

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {1D366E29-D132-42CF-952E-A95F46D71162} - C:\Documents and Settings\Doug\Local Settings\Temp\awtqn.dll
O2 - BHO: 0 - {522143C4-30EC-44D3-2A96-17A80E66635C} - C:\Program Files\NetMeeting\baquzujyd667.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\arpaytgb.dll
    C:\WINNT\system32\fiywiybb.exe
    C:\WINNT\system32\pwinpmdt.exe
    C:\WINNT\system32\f02WtR
    C:\WINNT\system32\drvr2
    C:\WINNT\system32\cfig32
    C:\WINNT\system32\capcom
    C:\WINNT\ZA



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #3

You should see two new tray icons Image right click on the a icon in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Next, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner Image and select Schedule Boot-Time Scan.
    Image

Next, choose
  • Scan all local disks
  • scan archive files
      Image
  • click on Schedule
On the next dialog Operating system restart needed select Yes

    Image


Now avast! will restart your computer and start to scan before Windows fully loads. If detects infections while boot time scaning, you will be given choices for actions, choose move to chest actions and don't delete anything.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

Finally when the scan will finish the computer will boot in Normal Mode, then using Windows Explorer navigate to C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt double click on aswBoot.txt it will open Notepad with report of the scan, please copy and paste the report in this thread, also post OTMoveIt report, run new scan with dss and post the contents of main.txt


Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby KlavoHunter » September 8th, 2007, 1:45 am

Step 1.) Done, removed all 4 of those.



Step 2.)

File/Folder C:\WINNT\system32\arpaytgb.dll not found.
C:\WINNT\system32\fiywiybb.exe moved successfully.
File/Folder C:\WINNT\system32\pwinpmdt.exe not found.
C:\WINNT\system32\f02WtR moved successfully.
C:\WINNT\system32\drvr2 moved successfully.
C:\WINNT\system32\cfig32 moved successfully.
C:\WINNT\system32\capcom moved successfully.
C:\WINNT\ZA moved successfully.

Created on 09/08/2007 00:36:51

Those two un-found files may have been moved or deleted by Avast since I posted the last logs, and have possibly renamed themselves. I've been getting two .dll files every time I start up my PC that set Avast off, I believe they have new names every time.

Step 3.) Updating Avast, and now I'm gonna reboot, standby for my next reply
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby KlavoHunter » September 8th, 2007, 3:47 am

Step 3.) Scan finished, here's the contents of aswBoot.txt.


Code: Select all
08/31/2007 18:43
Scan of all local drives
File C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\F7QRAKCV\lkjh[1] is infected by Win32:Tiny-IF [Trj], Deleted
File C:\Program Files\NetMeeting\baquzujyd.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\Program Files\NetMeeting\baquzujyd6.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\Program Files\NetMeeting\baquzujyd667.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP253\A0102577.exe is infected by Win32:Small-AHY [Trj], Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP253\A0102578.dll is infected by Win32:Trojan-gen. {Other}, Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP253\A0102579.exe is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102795.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102796.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102797.dll is infected by Win32:Small-AHY [Trj], Deleted
File C:\WINNT\system32\cfig32\icm33oc.exe\[UPX] is infected by Win32:Small-GWM [Trj], Deleted
File C:\WINNT\system32\drvr2\bbc002nws.exe is infected by Win32:Trojano-2873 [Trj], Deleted
File C:\WINNT\system32\vrpootld.exe is infected by Win32:Tiny-IF [Trj], Deleted

Number of searched folders: 8810
Number of tested files: 107752
Number of infected files: 13

----------------------------------------
09/08/2007 00:55
Scan of all local drives
File C:\Documents and Settings\Doug\Local Settings\Temp\NI.UWAS7_0001_N91M2703\setup.exe\[Embedded#004240]\{app}\InstUp.exe\{cf}\WinAntiSpyware 2007\was7cw.exe is infected by Win32:Trojan-gen. {Other}, Moved to chest
File C:\Documents and Settings\Doug\Local Settings\Temp\NI.UWAS7_0001_N91M2703\setup.exe\[Embedded#004240]\{cf}\WinAntiSpyware 2007\uwas7cw.exe is infected by Win32:Adware-gen. [Adw], Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
Scanning aborted


Number of searched folders: 2313
Number of tested files: 40283
Number of infected files: 2

----------------------------------------
09/08/2007 01:10
Scan of all local drives
File C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\8LYBCPER\gepj[2] is infected by Win32:Vundo-gen49 [Adw], Moved to chest
File C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\8LYBCPER\pzd[1] is infected by Win32:Vundo-gen48 [Adw], Moved to chest
File C:\Documents and Settings\Doug\Local Settings\Temporary Internet Files\Content.IE5\F7QRAKCV\gepj[1] is infected by Win32:Vundo-gen46 [Adw], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP252\A0102511.dll is infected by Win32:Vundo-gen46 [Adw], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP252\A0102512.dll is infected by Win32:Vundo-gen46 [Adw], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102798.exe\[UPX] is infected by Win32:Small-GWM [Trj], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102799.exe is infected by Win32:Trojano-2873 [Trj], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102800.exe is infected by Win32:Tiny-IF [Trj], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102814.dll is infected by Win32:Vundo-gen47 [Adw], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102817.dll is infected by Win32:Vundo-gen48 [Adw], Moved to chest
File C:\System Volume Information\_restore{3EFC0E05-5655-4953-A400-A8BE78371708}\RP255\A0102818.exe is infected by Win32:Downloader-IB [Trj], Moved to chest
File C:\WINNT\system32\xcfypccu.dll is infected by Win32:Vundo-gen46 [Adw], Moved to chest
File C:\_OTMoveIt\MovedFiles\WINNT\system32\capcom\nab22011.exe\$PROGRAMFILES\installer.js is infected by VBS:Malware [Gen], Moved to chest
File C:\_OTMoveIt\MovedFiles\WINNT\system32\f02WtR\f02WtR1065.exe is infected by Win32:VB-ESB [Trj], Moved to chest
File D:\ut2004 keygen.exe is infected by Win32:Trojan-gen. {UPX!}, Moved to chest
File D:\UT2K4\Keygen.exe is infected by Win32:Trojan-gen. {UPX!}, Moved to chest

Number of searched folders: 8850
Number of tested files: 439872
Number of infected files: 16



Oh, and upon startup, I'm *STILL* getting 2 vundo-infected files detected by Avast, and an IE popup of some worthless "Crush Calculator" site.
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » September 8th, 2007, 2:16 pm

Hello KlavoHunter :)

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply also new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby KlavoHunter » September 8th, 2007, 4:49 pm

Step 1.) Had to run Combofix 3 times before it'd give me a log file, the first 2 times, it rebooted my PC to deal with stuff.

Code: Select all
ComboFix 07-09-08.7 - "Administrator" 2007-09-08 15:42:42.2 - NTFSx86 
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.619 [GMT -5:00]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\coccwljo.exe
C:\WINNT\system32\xulacirr.exe


(((((((((((((((((((((((((   Files Created from 2007-08-08 to 2007-09-08  )))))))))))))))))))))))))))))))
.

2007-09-08 15:32	51,200	--a------	C:\WINNT\NirCmd.exe
2007-09-05 19:35	<DIR>	d--------	C:\Program Files\Sony
2007-08-31 18:37	95,608	--a------	C:\WINNT\system32\AvastSS.scr
2007-08-31 18:37	94,416	--a------	C:\WINNT\system32\drivers\aswmon2.sys
2007-08-31 18:37	92,848	--a------	C:\WINNT\system32\drivers\aswmon.sys
2007-08-31 18:37	42,912	--a------	C:\WINNT\system32\drivers\aswTdi.sys
2007-08-31 18:37	26,624	--a------	C:\WINNT\system32\drivers\aavmker4.sys
2007-08-31 18:37	23,152	--a------	C:\WINNT\system32\drivers\aswRdr.sys
2007-08-31 18:36	801,144	--a------	C:\WINNT\system32\aswBoot.exe
2007-08-31 18:36	1,060,864	--a------	C:\WINNT\system32\MFC71.dll
2007-08-31 18:36	<DIR>	d--------	C:\Program Files\Alwil Software
2007-08-30 23:33	<DIR>	d--------	C:\Deckard
2007-08-30 23:26	<DIR>	d--------	C:\VundoFix Backups
2007-08-29 21:01	<DIR>	d--------	C:\Program Files\Lavasoft
2007-08-29 21:01	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-29 18:04	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-21 18:34	<DIR>	d--------	C:\DOCUME~1\Doug\APPLIC~1\Bioshock

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 05:33	---------	d--------	C:\Program Files\Trillian
2007-09-08 04:44	---------	d--------	C:\Program Files\Starcraft
2007-09-06 22:11	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\IGN_DLM
2007-09-05 19:35	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-03 23:27	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\gtk-2.0
2007-08-31 05:49	---------	d--------	C:\Program Files\mIRC
2007-08-29 21:00	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-08-21 15:50	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\uTorrent
2007-08-07 13:58	8320	--a------	C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56	9344	--a------	C:\WINNT\system32\drivers\NSDriver.sys
2007-08-06 06:06	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\Yahoo! Messenger
2007-07-30 19:19	92504	--a------	C:\WINNT\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINNT\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINNT\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINNT\system32\wucltui.dll
2007-07-30 19:19	203096	--a------	C:\WINNT\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINNT\system32\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINNT\system32\wups.dll
2007-07-27 22:47	---------	d--------	C:\Program Files\RealVNC
2007-07-22 15:14	---------	d--------	C:\Program Files\Winamp
2007-07-21 23:40	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\CyberLink
2007-07-21 23:38	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-21 23:36	---------	d--------	C:\Program Files\CyberLink
2007-07-21 23:11	---------	d--------	C:\Program Files\Spring
2007-07-21 21:00	---------	d--------	C:\Program Files\DivX
2007-07-17 16:23	---------	d--------	C:\DOCUME~1\Doug\APPLIC~1\Skype
2007-07-16 17:31	---------	d--------	C:\Program Files\Skype
2007-07-16 17:31	---------	d--------	C:\Program Files\Common Files\Skype
2007-07-16 17:31	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-07-11 14:37	6272	--a------	C:\WINNT\system32\drivers\AWRTPD.sys
2007-07-09 14:07	524288	--a------	C:\WINNT\system32\DivXsm.exe
2007-07-09 14:07	118520	---------	C:\WINNT\system32\pxinsi64.exe
2007-07-09 14:07	116472	---------	C:\WINNT\system32\pxcpyi64.exe
2007-07-09 14:05	823296	--a------	C:\WINNT\system32\divx_xx0c.dll
2007-07-09 14:05	823296	--a------	C:\WINNT\system32\divx_xx07.dll
2007-07-09 14:05	802816	--a------	C:\WINNT\system32\divx_xx11.dll
2007-07-09 14:05	740442	--a------	C:\WINNT\system32\DivX.dll
2007-07-09 14:05	53248	--a------	C:\WINNT\system32\dpuGUI10.dll
2007-07-09 14:05	344064	--a------	C:\WINNT\system32\dpus11.dll
2007-07-09 14:05	294912	--a------	C:\WINNT\system32\dpu10.dll
2007-07-09 14:05	196608	--a------	C:\WINNT\system32\dtu100.dll
2007-07-09 14:05	124472	--a------	C:\WINNT\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05	12288	--a------	C:\WINNT\system32\DivXWMPExtType.dll
2007-06-26 01:08	1104896	--a------	C:\WINNT\system32\msxml3.dll
2007-06-19 08:31	282112	--a------	C:\WINNT\system32\gdi32.dll
2007-06-13 05:23	1033216	--a------	C:\WINNT\explorer.exe
2005-09-24 10:22	271	---hs----	C:\Program Files\desktop.ini
2005-09-24 10:22	21952	--ah-----	C:\Program Files\folder.htt
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F34FEE17-AB68-46C9-B063-BC2948758BF2}]
2007-08-29 17:16	298080	--a------	C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 07:00 C:\WINNT\system32\mobsync.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"P17Helper"="P17.dll" [2006-03-17 16:11 C:\WINNT\system32\P17.DLL]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 10:50]
"CTXFIREG"="CTxfiReg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"WISE-FTP Task Planner"="C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" [2006-09-22 11:54]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2006-02-28 07:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DefaultP17MIDI"=MIDIDEF.EXE
"DefaultP17"=P17Def.Exe
"DAEMON Tools 4.08 Setup"="C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R0 videX32;videX32;C:\WINNT\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINNT\system32\DRIVERS\xfilt.sys
R3 P17;Sound Blaster Audigy;C:\WINNT\system32\drivers\P17.sys
S3 AMDPCI;AMDPCI;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AMDPCI.sys
S3 NTSIM;NTSIM;\??\C:\WINNT\System32\ntsim.sys
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 15:45:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 15:46:50
C:\ComboFix-quarantined-files.txt ... 2007-09-08 15:46
.
	--- E O F ---



And here's my new HijackThis log.

Code: Select all
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:49:33 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Doug\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {F34FEE17-AB68-46C9-B063-BC2948758BF2} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE
O4 - HKCU\..\RunOnce: [DefaultP17] P17Def.Exe
O4 - HKCU\..\RunOnce: [DAEMON Tools 4.08 Setup] "C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-484763869-1343024091-725345543-1001\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Doug')
O4 - HKUS\S-1-5-21-484763869-1343024091-725345543-1001\..\Run: [DDC] C:\WINNT\system32\xulacirr.exe (User 'Doug')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE

--
End of file - 7000 bytes
KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » September 9th, 2007, 11:06 pm

Hello KlavoHunter,

Please follow the steps below exactly in the order they are written:

Step #1


Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {F34FEE17-AB68-46C9-B063-BC2948758BF2} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll
O4 - HKUS\S-1-5-21-484763869-1343024091-725345543-1001\..\Run: [DDC] C:\WINNT\system32\xulacirr.exe (User 'Doug')

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

    - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    - Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    - Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Run new scan with dss and post the contents of main.txt, also the report of AVG Anti-Spyware.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby KlavoHunter » September 11th, 2007, 2:21 am

Step 1.) Killed the first file, and the O4 file had a different random-character name, but I killed it anyways.

Step 2.)

Ran ATF-Cleaner successfully.

Ran AVG Antivirus successfully as well. HOWEVER, despite following instructions to the letter, the "Save Report" button was ghosted out and unclickable after I hit Apply All Actions. I am unable to give you that log, apologies.

DSS's main.txt is here.

Code: Select all
Deckard's System Scanner v20070826.66
Run by Administrator on 2007-09-11 01:10:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-11 01:14:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\CTSVCCDA.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Doug\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7DE9C25B-6DBB-4FE6-9714-1C23BF4D49A9} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll (file missing)
O4 - HKEY_LOCAL_MACHINE\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKEY_LOCAL_MACHINE\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE
O4 - HKCU\..\RunOnce: [DefaultP17] P17Def.Exe
O4 - HKCU\..\RunOnce: [DAEMON Tools 4.08 Setup] "C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159110994328
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA.EXE



-- Files created between 2007-08-11 and 2007-09-11 -----------------------------

2007-09-11 01:06:33         0 d-------- C:\Program Files\Trend Micro
2007-09-10 22:46:54         0 d-------- C:\Documents and Settings\admin\Application Data\Grisoft
2007-09-10 22:32:03         0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-09-10 22:31:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-08 15:32:15         0 d-------- \qoobox
2007-09-08 00:36:51         0 d-------- \_OTMoveIt
2007-09-05 19:35:51         0 d-------- C:\Program Files\Sony
2007-08-31 18:36:52         0 d-------- C:\Program Files\Alwil Software
2007-08-30 23:33:12         0 d-------- \Deckard
2007-08-30 23:26:52         0 d-------- \VundoFix Backups
2007-08-29 21:01:27         0 d-------- C:\Program Files\Lavasoft
2007-08-29 21:01:27         0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-29 18:04:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-21 18:34:04         0 d-------- C:\Documents and Settings\Doug\Application Data\Bioshock


-- Find3M Report ---------------------------------------------------------------

2007-09-11 01:03:58 1610612736 --ahs---- \pagefile.sys
2007-09-09 15:36:38         0 d-------- C:\Program Files\Starcraft
2007-09-08 05:33:36         0 d-------- C:\Program Files\Trillian
2007-09-05 19:35:50         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-31 05:49:01         0 d-------- C:\Program Files\mIRC
2007-08-29 21:00:56         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-27 22:47:08         0 d-------- C:\Program Files\RealVNC
2007-07-22 15:14:17         0 d-------- C:\Program Files\Winamp
2007-07-21 23:36:36         0 d-------- C:\Program Files\CyberLink
2007-07-21 23:11:02         0 d-------- C:\Program Files\Spring
2007-07-21 21:00:59         0 d-------- C:\Program Files\DivX
2007-07-16 17:31:46         0 d-------- C:\Program Files\Skype
2007-07-16 17:31:43         0 d-------- C:\Program Files\Common Files\Skype
2007-07-16 17:31:42         0 d-a------ C:\Program Files\Common Files
2007-07-09 14:05:58    196608 --a------ C:\WINNT\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 14:05:54    802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:54    740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 14:05:28     12288 --a------ C:\WINNT\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DE9C25B-6DBB-4FE6-9714-1C23BF4D49A9}]
			C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02/28/2006 07:00 AM C:\WINNT\system32\mobsync.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 11:12 AM]
"P17Helper"="P17.dll" [03/17/2006 04:11 PM C:\WINNT\system32\P17.DLL]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [02/15/2005 04:10 PM]
"UpdReg"="C:\WINNT\UpdReg.EXE" [05/11/2000 01:00 AM]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"CTXFIREG"="CTxfiReg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 05:22 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 05:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 06:23 PM]
"WISE-FTP Task Planner"="C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" [09/22/2006 11:54 AM]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [02/28/2006 07:00 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DefaultP17MIDI"=MIDIDEF.EXE
"DefaultP17"=P17Def.Exe
"DAEMON Tools 4.08 Setup"="C:\Documents and Settings\Doug\Desktop\daemon408-139-x86.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe


-- End of Deckard's System Scanner: finished at 2007-09-11 01:14:49 ------------

KlavoHunter
Active Member
 
Posts: 10
Joined: August 29th, 2007, 9:23 pm

Unread postby SNOWHITE » September 12th, 2007, 5:29 pm

Hello KlavoHunter :)

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7DE9C25B-6DBB-4FE6-9714-1C23BF4D49A9} - C:\DOCUME~1\Doug\LOCALS~1\Temp\awtqn.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Please run this online scan:

Panda ActiveScan

  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the Panda scan report, along with a new HijackThis Log.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware