Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Character(s) Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Character(s) Malware

Unread postby bottoson » July 24th, 2008, 11:21 pm

I am very new to this type of communication so please excuse my gaffs. I have a couple of malwares I believe. I have a text file that shows what my main one is. I have completed a log in Trend Micro Hijack This but have been unable to figure out how to get it to MalWare.

Any advice or instruction would be most appreciated at this point.

Bill Ottoson
You do not have the required permissions to view the files attached to this post.
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm
Advertisement
Register to Remove

Re: Character(s) Malware

Unread postby chryssi2001 » July 31st, 2008, 7:45 am

Hello bottoson,

I will be assisting you with your malware issues.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
----------------------------------------------
I have a couple of malwares I believe. I have a text file that shows what my main one is.

Can you explain where that text file is? Any other symptoms?
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
I have a couple of malwares I believe. I have a text file that shows what my main one is.


Can you explain where that text file is? Any other symptoms?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » July 31st, 2008, 11:22 am

Thank you for your reply.

The following log from HiJackThis is added as you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:27 AM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Maxtor\Utils\MaxSync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\ZipCentral\ZCentral.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12186 bytes

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » July 31st, 2008, 1:56 pm

Hello bottoson,

I have a couple of malwares I believe. I have a text file that shows what my main one is.

Can you explain where that text file is? Any other symptoms?

You didn't ask my previous question.

I need some more information about the text you get, and where, like is it in a folder, it comes like a pop-up, etc.
Also when does it happens.

You have to answer to me so you will enable me to understand what is happening to your pc, and help you.
----------------------------------------------
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

C:\DOCUME~1\Bill\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

Please re-install HijackThis, and follow carefully the instructions in my first post.
----------------------------------------------
Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
----------------------------------------------
Post back:
DSS report.
Any information you can give me about that strange text.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » July 31st, 2008, 6:21 pm

First, to answer your questions. The weird characters show at the end on my emails. I believe that it shows only on emails sent in html format. They do not show up on messages sent in text only format.

Showing up in message bodies. An example would be when I sent an article from PC Magazine to a friend and tried to write something in the message box. As I typed the weird characters showed in the body.

Bill Ottoson

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------


ATF Cleaner...Loaded, ran, and completed instructions. Had error message: IE cannot open Internet site http:\www.majorgeeks.com
Operation aborted

But it did finish and noted that it had cleaned 147.445 MBS

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware

Downloaded and Installed

Following is Log:

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 3

4:15:35 PM 7/31/2008
mbam-log-7-31-2008 (16-15-35).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 185336
Time elapsed: 2 hour(s), 21 minute(s), 52 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 10

Memory Processes Infected:
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrysmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\DataBase.ref (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Application Data\RegistrySmart\Log\2008 Jul 31 - 08_32_59 AM_906.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Downloaded Deckard's Stystem Scanner

Main Text File

Deckard's System Scanner v20071014.68
Run by Bill on 2008-07-31 16:56:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
75: 2008-06-20 20:32:31 UTC - RP198 - Installed Creative Software AutoUpdate
74: 2008-06-20 20:29:39 UTC - RP197 - Installed Creative WebCam
73: 2008-06-20 20:29:07 UTC - RP196 - Installed Creative Live! Cam Video Chat / Video IM
72: 2008-06-20 20:28:57 UTC - RP195 - Installed Creative System Information
71: 2008-06-20 20:28:41 UTC - RP194 - Installed Creative Live! Cam User's Guide


-- First Restore Point --
1: 2008-03-28 04:16:14 UTC - RP124 - Made by Registry Mechanic


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as Bill.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:01 PM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Downloaded Files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bill.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11765 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 ListOpenedFileDrv - c:\documents and settings\bill\application data\pc magazine utilities\taskpower\drivers\listopenedfiledrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 HBService - c:\program files\pc magazine utilities\hd heartbeat 2\hbsrvapp.exe /startedbyscm:3ed1b58a-40e2f974-hbservice <Not Verified; Ziff Davis Media, Inc; HDHeartbeat>
R2 NTService1 (MaxSyncService) - "c:\program files\maxtor\utils\syncservices.exe" <Not Verified; ; SyncServices>

S2 AdobeActiveFileMonitor4.0 (Adobe Active File Monitor V4) - c:\program files\adobe\photoshop elements 4.0\photoshopelementsfileagent.exe
S4 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-23 16:18:00 406 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-06-20 09:18:47 436 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-06-19 19:06:01 780 --a------ C:\WINDOWS\Tasks\Daily Backup.job
2008-06-19 18:00:00 716 --a------ C:\WINDOWS\Tasks\daily backup2.job
2008-04-20 14:13:35 370 -----n--- C:\WINDOWS\Tasks\RegCure.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 13:47:42 0 d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-07-31 13:47:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 13:47:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 13:09:08 0 d-------- C:\Program Files\Trend Micro
2008-07-28 14:55:10 0 d-------- C:\Program Files\IrfanView
2008-07-24 13:22:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-24 13:21:28 0 d-------- C:\Program Files\Webroot
2008-07-24 13:21:28 0 d-------- C:\Documents and Settings\Bill\Application Data\Webroot
2008-07-24 13:21:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-07-24 13:21:24 0 d-------- C:\Program Files\AskSBar
2008-07-24 13:18:27 164 --a------ C:\install.dat
2008-07-23 16:48:30 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-23 16:46:49 0 d-------- C:\Program Files\Real
2008-07-23 16:45:57 0 d-------- C:\Program Files\Common Files\Real
2008-07-23 16:40:19 0 d-------- C:\Documents and Settings\Bill\Application Data\Real
2008-07-23 16:20:45 0 d-------- C:\Program Files\Picasa2
2008-07-23 16:19:03 0 d-------- C:\WINDOWS\system32\runtime
2008-07-23 16:17:14 0 d-------- C:\Program Files\Norton Security Scan
2008-07-14 13:56:12 0 d-------- C:\Program Files\keyfinder
2008-07-14 13:47:56 0 d-------- C:\KeyFinder
2008-07-08 13:45:51 0 d-------- C:\Documents and Settings\Bill\Application Data\RegClean
2008-07-08 13:45:43 0 d-------- C:\Program Files\RegClean
2008-07-08 10:20:48 0 d-------- C:\WINDOWS\Fonts Temp APS Repair
2008-07-06 14:40:12 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-07-06 14:40:05 3497984 --a------ C:\WINDOWS\system32\cdintf300.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-07-06 10:47:21 0 d-------- C:\WINDOWS\FontsWhollyGenes
2008-07-06 09:16:22 0 d-------- C:\Program Files\CamVideo


-- Find3M Report ---------------------------------------------------------------

2008-07-31 16:48:12 0 d-------- C:\Documents and Settings\Bill\Application Data\Skype
2008-07-31 16:08:21 0 d-------- C:\Documents and Settings\Bill\Application Data\skypePM
2008-07-31 10:11:49 0 d-------- C:\Program Files\ZipCentral
2008-07-25 12:57:57 0 d-------- C:\Program Files\Taskbar Shuffle
2008-07-24 11:00:32 0 d-------- C:\Program Files\PC Magazine Utilities
2008-07-23 22:24:23 0 d-------- C:\Program Files\Google
2008-07-23 16:48:30 0 d-------- C:\Program Files\Common Files
2008-07-23 11:25:53 0 d-------- C:\Documents and Settings\Bill\Application Data\The Master Genealogist v7
2008-07-11 12:28:15 0 d-------- C:\Documents and Settings\Bill\Application Data\PC Magazine Utilities
2008-07-09 14:30:25 134448 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-07-08 16:19:10 0 d-------- C:\Program Files\Ad-Aware
2008-07-06 14:40:02 0 d-------- C:\Program Files\Map my Family Tree
2008-07-06 09:19:26 0 d-------- C:\Program Files\Creative
2008-07-01 09:16:22 0 d-------- C:\Program Files\ClipCache
2008-06-30 16:42:15 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-30 16:40:44 0 d-------- C:\Documents and Settings\Bill\Application Data\Adobe
2008-06-30 16:00:04 0 d-------- C:\Program Files\The Master Genealogist v7
2008-06-20 15:55:27 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 15:52:52 0 d-------- C:\Program Files\Skype
2008-06-20 15:52:49 0 d-------- C:\Program Files\Common Files\Skype
2008-06-20 15:45:34 0 d-------- C:\Documents and Settings\Bill\Application Data\Creative
2008-06-20 15:32:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 15:29:22 0 d-------- C:\Program Files\SightSpeed
2008-06-20 12:27:26 0 d-------- C:\Program Files\PCPitstop
2008-06-19 10:09:35 0 d-------- C:\Program Files\The Master Genealogist
2008-06-10 12:12:30 0 d-------- C:\Documents and Settings\Bill\Application Data\Brother
2008-06-10 12:03:13 0 --a------ C:\WINDOWS\system32\Biport
2008-06-10 11:49:02 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-06-06 11:31:31 41438 --ah----- C:\Program Files\UFTREE.GID
2008-06-06 11:14:25 0 d-------- C:\Program Files\Family Tree SuperTools
2008-06-05 12:30:37 0 d-------- C:\Program Files\TimezAttack
2008-06-01 12:01:26 0 d-------- C:\Program Files\Northern Hills Software
2008-06-01 12:00:34 0 d-------- C:\Program Files\RegCure
2008-06-01 08:41:59 0 d-------- C:\Documents and Settings\Bill\Application Data\CallingID
2008-05-14 10:56:58 1024 -r-h----- C:\WINDOWS\system32\NTIBUN4.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
07/24/2008 01:21 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/03/2008 08:54 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/03/2008 08:54 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/27/2008 12:38 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01/13/2006 07:36 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/03/2008 08:54 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [08/23/2007 01:03 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/23/2008 04:15 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/23/2008 04:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/03/2007 11:29 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 02:39 PM]
"FreeMem Pro"="C:\PROGRA~1\FREEME~1\fmempro.exe" [10/07/2004 01:29 AM]
"NoteWhen3"="C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe" [06/18/2008 04:55 PM]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [06/07/2007 02:01 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"PCMagSurfSpeed2"="C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" [05/23/2008 08:02 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [05/31/2008 11:53 AM]

C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
ClipCache Pro.lnk - C:\Program Files\ClipCache\clipc.exe [12/1/2007 7:40:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktoplet.lnk - C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe [7/24/2008 11:00:32 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [12/3/2007 11:29:27 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [12/17/2007 2:55:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll [12/14/2007 09:07 PM 562616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-31 17:00:05 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2000+
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 479.48 MiB / 157.16 MiB
Pagefile Memory (total/avail): 1123.95 MiB / 666.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.1 MiB

A: is Removable (FAT)
C: is Fixed (NTFS) - 76.33 GiB total, 55.2 GiB free.
D: is Removable (FAT)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (FAT)
H: is Removable (FAT)

\\.\PHYSICALDRIVE1 - IOMEGA ZIP 250 - 94.13 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 95.98 MiB - D:

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.33 GiB - C:

\\.\PHYSICALDRIVE4 - 3SYSTEM USB FLASH DISK USB Device - 117.66 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 124.95 MiB - G:

\\.\PHYSICALDRIVE2 - IOMEGA ZIP 250 USB Device - 235.33 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 238.98 MiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bill\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OTTOSON2
ComSpec=C:\WINDOWS\system32\cmd.exe
DEVMGR_SHOW_DETAILS=1
DEVMGR_SHOW_NONPRESENT_DEVICES=1
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bill
LOGONSERVER=\\OTTOSON2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bill\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bill\LOCALS~1\Temp
USERDOMAIN=OTTOSON2
USERNAME=Bill
USERPROFILE=C:\Documents and Settings\Bill
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bill (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HP CD-Writer\DeIsL1.isu"
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5549DC52-211C-44BE-8347-0C22812DEB31}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9814AC8C-FDA8-431F-A6EB-D7294E2D362E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3Space ClipArtist 2.0 CD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3Space ClipArtist\DeIsL1.isu"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop Elements 2.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Photoshop Elements 4.0 --> msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Advanced Audio FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove
Advanced Video FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
akFontViewer --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Anatoli Klassen Software\akFontViewer\UnInst.log " "/APPNAME=akFontViewer"
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
Ashampoo Burning Studio 7.21 --> "C:\Program Files\Ashampoo\Ashampoo Burning Studio 7\unins000.exe"
Ashampoo Magical Snap 2.30 --> "C:\Program Files\Ashampoo\Ashampoo Magical Snap 2\unins000.exe"
Ashampoo PowerUp 3.10 --> "C:\Program Files\Ashampoo\Ashampoo PowerUp 3\unins000.exe"
Ashampoo UnInstaller Platinum 2 --> "C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\Uninstall\UIP_Uninstall.exe"
Ashampoo WinOptimizer 4.51 --> "C:\Program Files\Ashampoo\Ashampoo WinOptimizer 4\unins000.exe"
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\unins001.exe"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0F563C4-D4AD-41C4-A8A6-26664C027D11}\Setup.exe" -l0x9 Brunin03.dll -removeonly
Calculator Powertoy for Windows XP --> MsiExec.exe /I{B37C842A-B624-46B8-A727-654E72F1C91A}
CallingID Link Advisor --> MsiExec.exe /X{6071E0F5-A11A-4AAC-9AB8-468A2DA8C2A2}
CD Labeler II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\CD Labeler II\Setup.exe"
Citi Virtual Account Numbers --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\CitiVAN.INF, DefaultUninstall.ntx86
ClipCache --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ClipCache\Uninst.isu"
ClipCache Pro 3.1.3 --> "C:\Program Files\ClipCache\unins000.exe"
COA2 --> C:\PROGRA~1\COA2\UNWISE.EXE C:\PROGRA~1\COA2\INSTALL.LOG
Corel Applications --> C:\WINDOWS\Corel\Uninst32.exe
Creative Live! Cam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 /remove
Creative Live! Cam Doodling --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5549DC52-211C-44BE-8347-0C22812DEB31}\setup.exe" -l0x9 /remove
Creative Live! Cam FX Creator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9814AC8C-FDA8-431F-A6EB-D7294E2D362E}\setup.exe" -l0x9 /remove
Creative Live! Cam Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9 /remove
Creative Live! Cam User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9 /remove
Creative Live! Cam Video Chat or Video IM Driver (1.03.01.00) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0350.uns -unsext NT -plugin V0350Pin.dll -pluginres CtCamPin.crl
Creative Photo Calendar --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9 /remove
Creative Photo Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
DriverMax 3 --> "C:\Program Files\Innovative Solutions\DriverMax\unins000.exe"
Family Tree Maker 7.0 --> C:\WINDOWS\IsUninst.exe -fC:\FTW\Uninst.isu
Family Tree SuperTools --> MsiExec.exe /I{99867949-A794-11D5-8228-005004A6E645}
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
FreeMem Professional Version 5.2 --> C:\PROGRA~1\FREEME~1\UNWISE.EXE C:\PROGRA~1\FREEME~1\INSTALL.LOG
GENMatcher 1.08 --> "C:\Program Files\MudCreek\GENMatcher\unins000.exe"
GENViewer version 1.23 --> "C:\Program Files\MudCreek\GENViewer\unins000.exe"
getPlus(R)_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Greeting Card Creator 32 --> C:\PROGRA~1\GREETI~1\UNWISE.EXE C:\PROGRA~1\GREETI~1\INSTALL.LOG
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
HijackThis 2.0.2 --> "C:\DOCUME~1\Bill\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe" /uninstall
hp deskjet 930c series (Remove only) --> C:\Program Files\hp deskjet 930c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=930c -huninstall
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 1.0 - Scanjet 3500c Series --> MsiExec.exe /I{B8E952E3-A823-443A-8493-39A0CCE0E3EB}
HP Photo and Imaging 2.0 - Scanners --> MsiExec.exe /I{6CC93102-135E-49E2-99A4-C431E671C12A}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map My Family Tree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03739F6A-16F6-49FB-8E00-AC4AC8FB1FC2}\setup.exe" -l0x9 -uninst -removeonly
Maxtor Backup --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9C3F9580-F5CF-4288-894E-9FF0EB24A21C} /l1033
Maxtor OneTouch III --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FF268652-B3E8-494F-8343-1FC6DD0FF523} /l1033
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft PhotoDraw 2000 --> "C:\Program Files\Microsoft Office\Office\Setup\PhotoDraw\setup.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Moffsoft FreeCalc --> "C:\Program Files\Moffsoft FreeCalc\unins000.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Norton Security Scan --> MsiExec.exe /I{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
Panda NanoScan --> C:\Program Files\Panda Security\NanoScan\nanounst.exe
PaperPort --> MsiExec.exe /I{71C97545-E547-4A8B-B0C8-61FF853270AC}
PC Magazine's Top 100s as Internet Explorer Favorites --> "C:\Documents and Settings\Bill\Application Data\unins000.exe"
PC Magazine ButtonBoogie 2.1.1 --> "C:\Program Files\PC Magazine Utilities\ButtonBoogie\unins000.exe"
PC Magazine Defrag-A-File 2.0.2 --> "C:\Program Files\PC Magazine Utilities\Defrag-A-File\unins000.exe"
PC Magazine Desktoplet --> "C:\Program Files\PC Magazine Utilities\Desktoplet\unins000.exe"
PC Magazine DiskAction v2.4 --> "C:\Program Files\PC Magazine Utilities\DiskAction 2\unins000.exe"
PC Magazine ExhumeIt 1.0 --> "C:\Program Files\PC Magazine Utilities\ExhumeIt\unins000.exe"
PC Magazine File Utility Pack --> "C:\Program Files\PC Magazine Utilities\File Utility Pack\unins000.exe"
PC Magazine FontViewer 3 --> "C:\Program Files\PC Magazine Utilities\FontViewer3\unins000.exe"
PC Magazine HD HeartBeat 2.0 --> "C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\unins000.exe"
PC Magazine IconEdit --> "C:\Program Files\PC Magazine Utilities\IconEdit\unins000.exe"
PC Magazine InstaBack 2.0 --> "C:\Program Files\PC Magazine Utilities\InstaBack 2\unins000.exe"
PC Magazine NoteWhen 3.0 --> "C:\Program Files\PC Magazine Utilities\NoteWhen\unins000.exe"
PC Magazine Shred 3.0 --> "C:\Program Files\PC Magazine Utilities\Shred 3\unins000.exe"
PC Magazine TaskPower 3 --> "C:\Program Files\PC Magazine Utilities\TaskPower\unins000.exe"
PC Magazine Top Stats --> "C:\Program Files\PC Magazine Utilities\Top Stats\unins000.exe"
PC Magazine TrayManager 3.0 --> "C:\Program Files\PC Magazine Utilities\TrayManager\unins000.exe"
PC Pitstop Driver Alert 1.0 --> "C:\Program Files\PCPitstop\Driver Alert\unins000.exe"
PCMagazine SurfSpeed 2 --> "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\unins000.exe"
Perfect Uninstaller v3.7 --> "C:\Program Files\Perfect Uninstaller\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PIXELA ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13413C6C-C640-40B8-917E-CA3062826B18}\setup.exe"
Pocket Genealogist V3 --> C:\Program Files\Northern Hills Software\Pocket Genealogist V3\PGInstall.exe /CTL=PGENIE.UIN
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Qlock Lite --> "C:\Program Files\Qlock\uninstall.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
RegClean --> MsiExec.exe /X{BA79750B-24D6-42C1-8589-2AB84662DEF8}
RegCure 1.3.0.2 --> C:\Program Files\RegCure\uninst.exe
Registry Mechanic 5.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
RegistrySmart --> MsiExec.exe /X{F233CA97-817E-4DC2-9D76-04A2A8D96687}
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
SightSpeed (remove only) --> "C:\Program Files\SightSpeed\uninst.exe"
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SnagIt 8 --> MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Startup Cop Pro 3.0 --> "C:\Program Files\PC Magazine Utilities\Startup Cop Pro\unins000.exe"
Taskbar Shuffle version 2.2 --> "C:\Program Files\Taskbar Shuffle\unins000.exe"
The Master Genealogist (for All Users) --> C:\Program Files\The Master Genealogist\sysdata\UNWISE.EXE /U "C:\Program Files\The Master Genealogist\sysdata\INSTALL.LOG" Uninstall The Master Genealogist (for All Users)
The Master Genealogist v7 (for All Users) --> C:\PROGRA~1\THEMAS~2\UNWISE.EXE C:\PROGRA~1\THEMAS~2\sysdata\INSTALL.LOG
TMG Utility --> C:\PROGRA~1\TMGUTI~1\UNWISE.EXE C:\PROGRA~1\TMGUTI~1\INSTALL.LOG
Uniblue ProcessScanner --> "C:\Program Files\Uniblue\ProcessScanner\unins000.exe"
VERITAS StorageGuard 1.95 --> C:\WINDOWS\uninst.exe -fC:\PROGRA~1\HPCD-W~1\VERITA~1\DeIsL1.isu -c"C:\Program Files\HP CD-Writer\VERITAS StorageGuard\System\UNINST.DLL"
Visual FoxPro ODBC Driver --> MsiExec.exe /X{31821EFE-1B31-4744-9FB0-208F92BD7168}
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Creativity Fun Packs - Windows XP Power Toys --> MsiExec.exe /X{485E6526-EA98-4F04-925A-67424D12E1E2}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows XP Video Screensaver Powertoy --> C:\WINDOWS\system32\unins000.exe
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
ZipCentral 4.01 --> "C:\Program Files\ZipCentral\unins000.exe"


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-07-31 17:00:05 ------------
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 1st, 2008, 7:45 am

Hello bottoson,

Did you install again HijackThis as per my instructions?
Do it now, i will need you to post a new HijackThis log in this post.
Here are my instructions again.
----------------------------------------------
Registry Cleaners

I notice the presence of name here Registry Cleaner on your pc.

RegClean

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference.
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html
----------------------------------------------
Now Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    AskSBar
    keyfinder
    RegClean << Optional

----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folders: if found, delete the following (some may not be present after previous steps):

C:\Program Files\AskSBar
C:\Program Files\keyfinder
C:\KeyFinder
----------------------------------------------
DirLook

Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    C:\WINDOWS\system32\runtime
    C:\WINDOWS\Fonts Temp APS Repair
    C:\WINDOWS\FontsWhollyGenes
    C:\Program Files\TimezAttack
    

  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.
----------------------------------------------
Click start/ run and type in exactly:

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries in case they appear:

    .bat
    .cmd
    .inf
    .ini
    .reg
    .txt
    .vbs
    .cpl
    .scr
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt
  • I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Post back with the contents of daft.txt.
----------------------------------------------
Post back:
DirLook report.
daft.txt
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 1st, 2008, 2:17 pm

Removed RegCleaner

Also have RegCure, Registry Mechanic, RegMan, and Registry Smart

Should they be deleted also?

-----------------------------------------

There was no AskSBar listed in programs available to be removed, but there is a Program Files\AskSBar folder with an .exe file in it. There is also an Ask Toolbar available in programs available to be removed.

Should I remove it?

-----------------------------------------

There was no KeyFinder in the Panel\Remove Programs, but there is a folder with an .exe file under Program Files\KeyFinder... In other words I couldn't get it removed either.

-------------------------------------------

I did not remove as directed the folders of AskSBar or KeyFinder since I couldn't remove the programs.

---------------------------------------------------------------------------------------------------------

HiJack... did download and install, full scan & log and then a scan

This scan process took less than 10 seconds which leads me to believe it did not do a scan but picked up a previous log. I noted that it did not list a length of time entry for the scan (if it is suppose to).

Would you recommend me deleting the other scan logs and doing the scan over again?

----------------------------------------------

I did not do the DirLook as directed because the code box contained the strange characters under investigation. When I copied them to a text program (WordPad) they revealed themselves in text characters. I then tried to delete the code in the code box in order to replace it with the proper text code. It would not delete, so I did not complete that assignment.
----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:02 AM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Maxtor\Utils\MaxSync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11897 bytes

----------------------------------------------------
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 1st, 2008, 3:56 pm

Hello bottoson,

Also have RegCure, Registry Mechanic, RegMan, and Registry Smart

Yes please, they can make more harm than good if used unproperly, and create a havoc in your Registry.

I did not remove as directed the folders of AskSBar or KeyFinder since I couldn't remove the programs.


Ok we'll remove them later.

This scan process took less than 10 seconds

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:02 AM, on 8/1/2008 << This is the time it run according to your time. Is it correct?
Did you run it again today?
If not it should be correct.
Please confirm the time you run HijackThis.

I did not do the DirLook as directed because the code box contained the strange characters under investigation. When I copied them to a text program (WordPad) they revealed themselves in text characters. I then tried to delete the code in the code box in order to replace it with the proper text code. It would not delete, so I did not complete that assignment.

I just used DirLook and it works.
You copy those folders, directly into DirLook window and not in wordpad.

Please post back the results of DirLook, confirmation about Hijackthis, and Daft.txt as per instructions in my previous post.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 1st, 2008, 6:53 pm

Downloaded DirLook and ran

-------------------------------------------

DirLook.exe by jpshortstuff
Log created at 16:20:51 on Fri 08/01/2008

==============================

Contents of C:\WINDOWS\system32\runtime (inc. hidden/system files/folders)

---FOLDERS---


---FILES---


==============================

Contents of C:\WINDOWS\Fonts Temp APS Repair (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

ACaslonPro-Bold.otf (142972 bytes, created: 09/09/2005 01:11 AM) --a------
ACaslonPro-BoldItalic.otf (169448 bytes, created: 09/09/2005 01:11 AM) --a------
ACaslonPro-Italic.otf (167264 bytes, created: 09/09/2005 01:11 AM) --a------
ACaslonPro-Regular.otf (161820 bytes, created: 09/09/2005 01:11 AM) --a------
ADLIBN.TTF (46448 bytes, created: 12/08/1998 01:31 PM) --a------
ADMUI3.fon (17408 bytes, created: 09/09/2005 01:22 AM) --a------
ALCOPPLN.TTF (50964 bytes, created: 08/10/1998 09:51 AM) --a------
ALGER.TTF (69504 bytes, created: 09/15/1998 01:00 AM) --a------
ALLEGRON.TTF (52788 bytes, created: 12/08/1998 01:31 PM) --a------
ALMANAC.TTF (36256 bytes, created: 09/15/1998 01:00 AM) --a------
AMAZONEN.TTF (60060 bytes, created: 12/08/1998 01:31 PM) --a------
ANTQUAB.TTF (151000 bytes, created: 11/12/1998 08:18 AM) --a------
ANTQUABI.TTF (150416 bytes, created: 11/12/1998 08:18 AM) --a------
ANTQUAI.TTF (149092 bytes, created: 11/12/1998 08:18 AM) --a------
ARBLI___.TTF (65544 bytes, created: 10/24/1997 04:42 PM) --a------
arial.ttf (367112 bytes, created: 07/17/2004 11:39 AM) --a------
arialbd.ttf (352224 bytes, created: 07/17/2004 11:39 AM) --a------
arialbi.ttf (226748 bytes, created: 08/18/2001 07:00 AM) --a------
ariali.ttf (207808 bytes, created: 08/18/2001 07:00 AM) --a------
ARIALN.TTF (134188 bytes, created: 05/28/1998 03:38 PM) --a------
ARIALNB.TTF (139056 bytes, created: 05/28/1998 03:38 PM) --a------
ARIALNBI.TTF (138468 bytes, created: 05/28/1998 03:38 PM) --a------
ARIALNI.TTF (141328 bytes, created: 05/28/1998 03:38 PM) --a------
ariblk.ttf (118832 bytes, created: 01/01/2007 01:58 PM) --a------
ARLRDBD.TTF (39968 bytes, created: 09/15/1998 01:00 AM) --a------
AVGARDM.TTF (37432 bytes, created: 08/10/1998 09:53 AM) --a------
AVGARDMI.TTF (38752 bytes, created: 08/10/1998 09:53 AM) --a------
AVGARDN.TTF (38696 bytes, created: 12/15/1998 06:39 PM) --a------
AVGARDNI.TTF (38248 bytes, created: 12/15/1998 06:39 PM) --a------
BAILY.TTF (47292 bytes, created: 08/30/1996 03:39 PM) --a------
BAKRSIGN.TTF (43236 bytes, created: 12/10/1998 01:24 PM) --a------
Ballads.ttf (40460 bytes, created: 04/24/1998 07:57 PM) --a------
BASKVILL.TTF (49720 bytes, created: 09/15/1998 01:00 AM) --a------
BAUBODB.TTF (48652 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODBC.TTF (47496 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODBI.TTF (49280 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODI.TTF (50760 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODK.TTF (53824 bytes, created: 08/10/1998 09:54 AM) --a------
BAUBODKC.TTF (46356 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODKI.TTF (50216 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODN.TTF (48536 bytes, created: 12/10/1998 01:24 PM) --a------
BAUBODTI.TTF (71684 bytes, created: 12/30/1998 04:30 AM) --a------
BIBLSCRN.TTF (87328 bytes, created: 08/10/1998 09:55 AM) --a------
BKANT.TTF (155528 bytes, created: 11/12/1998 08:18 AM) --a------
BLAKLITN.TTF (60736 bytes, created: 08/10/1998 09:55 AM) --a------
BLIPPOK.TTF (37652 bytes, created: 12/23/1998 04:15 PM) --a------
BNKGOTHM.TTF (35412 bytes, created: 12/10/1998 01:24 PM) --a------
BODONI.TTF (45052 bytes, created: 01/04/1999 10:59 PM) --a------
BODONIB.TTF (46560 bytes, created: 01/04/1999 10:59 PM) --a------
BODONIBC.TTF (44572 bytes, created: 12/23/1998 04:17 PM) --a------
BODONIBI.TTF (47652 bytes, created: 01/04/1999 10:59 PM) --a------
BODONII.TTF (46888 bytes, created: 02/10/1999 11:08 AM) --a------
BODONIN.TTF (45116 bytes, created: 01/04/1999 10:59 PM) --a------
BODONINI.TTF (47256 bytes, created: 01/04/1999 10:59 PM) --a------
BOOKMND.TTF (47428 bytes, created: 12/15/1998 06:39 PM) --a------
BOOKMNDI.TTF (48608 bytes, created: 12/15/1998 06:39 PM) --a------
BOOKMNL.TTF (47056 bytes, created: 12/15/1998 06:39 PM) --a------
BOOKMNLI.TTF (47936 bytes, created: 12/15/1998 06:39 PM) --a------
BOOKOS.TTF (160940 bytes, created: 11/04/1998 05:30 PM) --a------
BOOKOSB.TTF (154576 bytes, created: 11/04/1998 05:30 PM) --a------
BOOKOSBI.TTF (162460 bytes, created: 11/04/1998 05:30 PM) --a------
BOOKOSI.TTF (160920 bytes, created: 11/04/1998 05:30 PM) --a------
BRADHITC.TTF (100408 bytes, created: 09/15/1998 01:00 AM) --a------
bralabc0.ttf (44788 bytes, created: 07/28/1998 03:00 AM) --a------
bralarc0.ttf (44396 bytes, created: 07/28/1998 03:00 AM) --a------
branobc0.ttf (38780 bytes, created: 07/28/1998 03:00 AM) --a------
branoic0.ttf (35288 bytes, created: 07/28/1998 03:00 AM) --a------
branorc0.ttf (37848 bytes, created: 07/28/1998 03:00 AM) --a------
brbrubc0.ttf (51240 bytes, created: 07/28/1998 03:00 AM) --a------
brbruic0.ttf (49760 bytes, created: 07/28/1998 03:00 AM) --a------
brbrurc0.ttf (50540 bytes, created: 07/28/1998 03:00 AM) --a------
brbruvc0.ttf (50956 bytes, created: 07/28/1998 03:00 AM) --a------
brclcrc0.ttf (48024 bytes, created: 07/28/1998 03:00 AM) --a------
brconrc0.ttf (46792 bytes, created: 07/28/1998 03:00 AM) --a------
BREMENB.TTF (44336 bytes, created: 12/23/1998 04:18 PM) --a------
brguabc0.ttf (54632 bytes, created: 07/28/1998 03:00 AM) --a------
brguaic0.ttf (52056 bytes, created: 07/28/1998 03:00 AM) --a------
brguarc0.ttf (52724 bytes, created: 07/28/1998 03:00 AM) --a------
brguavc0.ttf (54820 bytes, created: 07/28/1998 03:00 AM) --a------
BRITANIC.TTF (35368 bytes, created: 09/15/1998 01:00 AM) --a------
brlgobc0.ttf (38492 bytes, created: 07/28/1998 03:00 AM) --a------
brlgoic0.ttf (34536 bytes, created: 07/28/1998 03:00 AM) --a------
brlgorc0.ttf (38424 bytes, created: 07/28/1998 03:00 AM) --a------
brmarrc0.ttf (48912 bytes, created: 07/28/1998 03:00 AM) --a------
BROADW.TTF (53328 bytes, created: 09/15/1998 01:00 AM) --a------
BRODYN.TTF (95376 bytes, created: 08/10/1998 09:56 AM) --a------
broklbc0.ttf (45912 bytes, created: 07/28/1998 03:00 AM) --a------
broklic0.ttf (40952 bytes, created: 07/28/1998 03:00 AM) --a------
broklrc0.ttf (45120 bytes, created: 07/28/1998 03:00 AM) --a------
broklvc0.ttf (40772 bytes, created: 07/28/1998 03:00 AM) --a------
brtenbc0.ttf (50864 bytes, created: 07/28/1998 03:00 AM) --a------
brtenic0.ttf (47068 bytes, created: 07/28/1998 03:00 AM) --a------
brtenrc0.ttf (49228 bytes, created: 07/28/1998 03:00 AM) --a------
brtenvc0.ttf (49184 bytes, created: 07/28/1998 03:00 AM) --a------
BRUS445N.TTF (60080 bytes, created: 12/23/1998 04:17 PM) --a------
BRUS738N.TTF (46680 bytes, created: 12/10/1998 01:24 PM) --a------
BRUSHSCN.TTF (52956 bytes, created: 12/10/1998 01:24 PM) --a------
brutabc0.ttf (36464 bytes, created: 08/04/1998 03:00 AM) --a------
brutaic0.ttf (33320 bytes, created: 08/04/1998 03:00 AM) --a------
brutarc0.ttf (35252 bytes, created: 08/04/1998 03:00 AM) --a------
brutavc0.ttf (33360 bytes, created: 08/04/1998 03:00 AM) --a------
brutcbc0.ttf (36632 bytes, created: 08/04/1998 03:00 AM) --a------
brutcic0.ttf (34028 bytes, created: 08/04/1998 03:00 AM) --a------
brutcrc0.ttf (35600 bytes, created: 08/04/1998 03:00 AM) --a------
brutcvc0.ttf (34192 bytes, created: 08/04/1998 03:00 AM) --a------
CALG421N.TTF (53844 bytes, created: 12/08/1998 06:23 AM) --a------
CALG810I.TTF (52440 bytes, created: 01/04/1999 11:00 PM) --a------
CALG810N.TTF (54892 bytes, created: 12/08/1998 06:23 AM) --a------
CALIST.TTF (73020 bytes, created: 09/15/1998 01:00 AM) --a------
CALISTB.TTF (79308 bytes, created: 09/15/1998 01:00 AM) --a------
CALISTI.TTF (52152 bytes, created: 09/15/1998 01:00 AM) --a------
CANCUNN.TTF (46696 bytes, created: 08/10/1998 09:57 AM) --a------
CARLTONN.TTF (36348 bytes, created: 08/10/1998 09:57 AM) --a------
CASL540I.TTF (52932 bytes, created: 12/08/1998 06:22 AM) --a------
CASL540N.TTF (49396 bytes, created: 12/08/1998 06:22 AM) --a------
CASLONB.TTF (46728 bytes, created: 12/08/1998 06:22 AM) --a------
CASLONBI.TTF (49316 bytes, created: 12/08/1998 06:22 AM) --a------
CASOLFCH.TTF (48768 bytes, created: 12/08/1998 06:22 AM) --a------
CASOLFCI.TTF (53868 bytes, created: 12/08/1998 06:22 AM) --a------
CASOPFAN.TTF (67284 bytes, created: 12/08/1998 06:22 AM) --a------
CASTELAR.TTF (42772 bytes, created: 09/15/1998 01:00 AM) --a------
CATANBON.TTF (49540 bytes, created: 01/04/1999 11:01 PM) --a------
CATANEON.TTF (50048 bytes, created: 01/04/1999 11:01 PM) --a------
CATANLTN.TTF (49556 bytes, created: 01/04/1999 11:01 PM) --a------
CATANSWN.TTF (20936 bytes, created: 12/15/1998 06:40 PM) --a------
CHILLER.TTF (90752 bytes, created: 09/15/1998 01:00 AM) --a------
CLOISOFN.TTF (75280 bytes, created: 12/23/1998 04:17 PM) --a------
CNTDWNN.TTF (64384 bytes, created: 08/10/1998 10:00 AM) --a------
COLONNA.TTF (49296 bytes, created: 09/15/1998 01:00 AM) --a------
COMBULN.TTF (22088 bytes, created: 08/10/1998 10:00 AM) --a------
COMSCRTN.TTF (61580 bytes, created: 12/23/1998 04:17 PM) --a------
COOPBL.TTF (74808 bytes, created: 09/15/1998 01:00 AM) --a------
COOPBLA.TTF (57372 bytes, created: 01/04/1999 10:59 PM) --a------
COOPBLI.TTF (58932 bytes, created: 01/04/1999 11:00 PM) --a------
COOPBLIA.TTF (58036 bytes, created: 01/04/1999 10:59 PM) --a------
COOPBLN.TTF (57428 bytes, created: 01/04/1999 11:00 PM) --a------
COOPBLO.TTF (85764 bytes, created: 01/06/1999 10:34 AM) --a------
COOPERB.TTF (55956 bytes, created: 01/04/1999 11:00 PM) --a------
COOPERBI.TTF (55884 bytes, created: 01/04/1999 11:00 PM) --a------
COOPERL.TTF (55288 bytes, created: 01/04/1999 11:00 PM) --a------
COOPERLI.TTF (55492 bytes, created: 01/04/1999 11:00 PM) --a------
COOPERM.TTF (55316 bytes, created: 01/04/1999 11:00 PM) --a------
COOPERMI.TTF (55280 bytes, created: 01/04/1999 11:00 PM) --a------
COPGOTBC.TTF (44308 bytes, created: 12/08/1998 06:22 AM) --a------
COPGOTHB.TTF (45440 bytes, created: 12/08/1998 06:22 AM) --a------
COPGOTHC.TTF (44576 bytes, created: 12/08/1998 06:22 AM) --a------
COPGOTHH.TTF (46556 bytes, created: 12/08/1998 06:22 AM) --a------
COPGOTHN.TTF (46144 bytes, created: 12/08/1998 06:22 AM) --a------
COPRGTB.TTF (56104 bytes, created: 09/15/1998 01:00 AM) --a------
COPRGTL.TTF (57232 bytes, created: 09/15/1998 01:00 AM) --a------
COSMIC2N.TTF (34656 bytes, created: 08/10/1998 10:01 AM) --a------
COSMICN.TTF (47224 bytes, created: 08/10/1998 10:01 AM) --a------
Country.ttf (43064 bytes, created: 04/24/1998 06:09 PM) --a------
estre.ttf (79744 bytes, created: 08/18/2001 07:00 AM) --a------
EWIEN.TTF (48080 bytes, created: 08/10/1998 10:04 AM) --a------
EXPON.TTF (44452 bytes, created: 08/10/1998 10:04 AM) --a------
FELIXTI.TTF (39492 bytes, created: 09/15/1998 01:00 AM) --a------
FENICEB.TTF (42224 bytes, created: 12/15/1998 06:40 PM) --a------
FENICEBI.TTF (44776 bytes, created: 12/15/1998 06:40 PM) --a------
FENICEN.TTF (42680 bytes, created: 12/15/1998 06:40 PM) --a------
FENICENI.TTF (44764 bytes, created: 12/15/1998 06:40 PM) --a------
FLASHB.TTF (70284 bytes, created: 08/10/1998 10:05 AM) --a------
FLASHL.TTF (62288 bytes, created: 08/10/1998 10:05 AM) --a------
FLEMSCRN.TTF (68720 bytes, created: 12/23/1998 04:15 PM) --a------
FLINT-H.TTF (43944 bytes, created: 08/30/1996 04:16 PM) --a------
FOLIOB.TTF (36836 bytes, created: 12/22/1998 04:14 AM) --a------
FOLIOBC.TTF (37272 bytes, created: 12/23/1998 04:17 PM) --a------
FOLIOL.TTF (35656 bytes, created: 01/04/1999 11:00 PM) --a------
FOLIOLI.TTF (36668 bytes, created: 12/23/1998 04:17 PM) --a------
FOLIOM.TTF (36512 bytes, created: 01/04/1999 11:00 PM) --a------
FOLION.TTF (35824 bytes, created: 01/04/1999 11:00 PM) --a------
FOLIOXB.TTF (38660 bytes, created: 01/04/1999 11:00 PM) --a------
FORRST-H.TTF (48660 bytes, created: 07/24/1996 04:19 PM) --a------
FORTE.TTF (54216 bytes, created: 09/15/1998 01:00 AM) --a------
FOSTER-H.TTF (53428 bytes, created: 08/30/1996 03:37 PM) --a------
FOXFONT.FON (15872 bytes, created: 09/01/1996 02:00 AM) --a------
framd.ttf (135984 bytes, created: 08/18/2001 07:00 AM) --a------
framdit.ttf (152844 bytes, created: 08/18/2001 07:00 AM) --a------
FRKFRTHN.TTF (87724 bytes, created: 08/10/1998 10:06 AM) --a------
FRML436N.TTF (46504 bytes, created: 12/23/1998 04:17 PM) --a------
FTLTLT.TTF (78104 bytes, created: 09/15/1998 01:00 AM) --a------
GALIRDB.TTF (51268 bytes, created: 07/12/1999 06:41 AM) --a------
GALIRDBI.TTF (51864 bytes, created: 11/30/1998 10:41 AM) --a------
GALIRDI.TTF (51520 bytes, created: 11/30/1998 10:41 AM) --a------
GALIRDN.TTF (51876 bytes, created: 11/30/1998 10:41 AM) --a------
GANDON.TTF (54296 bytes, created: 08/10/1998 10:07 AM) --a------
GARA.TTF (196588 bytes, created: 05/21/1998 01:30 PM) --a------
GARABD.TTF (198540 bytes, created: 05/21/1998 01:30 PM) --a------
GARAIT.TTF (188916 bytes, created: 05/21/1998 01:30 PM) --a------
gautami.ttf (214936 bytes, created: 08/18/2001 07:00 AM) --a------
georgia.ttf (155068 bytes, created: 07/17/2004 11:39 AM) --a------
georgiab.ttf (141032 bytes, created: 08/18/2001 07:00 AM) --a------
georgiai.ttf (157388 bytes, created: 08/18/2001 07:00 AM) --a------
georgiaz.ttf (159736 bytes, created: 08/18/2001 07:00 AM) --a------
GHOULC.TTF (105316 bytes, created: 04/08/1996 01:00 PM) --a------
GHOULS.TTF (66184 bytes, created: 04/08/1996 01:00 PM) --a------
GIGI.TTF (136872 bytes, created: 09/15/1998 01:00 AM) --a------
GIL_____.TTF (60132 bytes, created: 09/15/1998 01:00 AM) --a------
GILB____.TTF (60884 bytes, created: 09/15/1998 01:00 AM) --a------
GILBI___.TTF (64208 bytes, created: 09/15/1998 01:00 AM) --a------
GILC____.TTF (54644 bytes, created: 09/15/1998 01:00 AM) --a------
GILI____.TTF (62144 bytes, created: 09/15/1998 01:00 AM) --a------
GILLUBCD.TTF (66792 bytes, created: 09/15/1998 01:00 AM) --a------
GILSANUB.TTF (65736 bytes, created: 09/15/1998 01:00 AM) --a------
GLASTRSN.TTF (43632 bytes, created: 08/10/1998 10:08 AM) --a------
GLECB.TTF (68012 bytes, created: 09/15/1998 01:00 AM) --a------
GlobalMonospace.CompositeFont (26040 bytes, created: 04/19/2006 09:21 PM) --a------
GlobalSansSerif.CompositeFont (26489 bytes, created: 07/02/2006 11:37 PM) --a------
GlobalSerif.CompositeFont (29779 bytes, created: 04/19/2006 09:21 PM) --a------
GlobalUserInterface.CompositeFont (30808 bytes, created: 07/02/2006 11:37 PM) --a------
GLSNECB.TTF (78984 bytes, created: 09/15/1998 01:00 AM) --a------
GOLDMINN.TTF (78764 bytes, created: 08/10/1998 10:08 AM) --a------
GOTHIC.TTF (137568 bytes, created: 09/01/1998 02:13 PM) --a------
GOUDHNDN.TTF (83168 bytes, created: 12/23/1998 04:17 PM) --a------
GOUDOS.TTF (75924 bytes, created: 09/15/1998 01:00 AM) --a------
GOUDOSB.TTF (76052 bytes, created: 09/15/1998 01:00 AM) --a------
GOUDOSBI.TTF (58640 bytes, created: 11/30/1998 10:51 AM) --a------
GOUDOSI.TTF (73640 bytes, created: 09/15/1998 01:00 AM) --a------
GOUDYOSB.TTF (60644 bytes, created: 11/30/1998 10:51 AM) --a------
GOUDYOSI.TTF (57428 bytes, created: 11/30/1998 10:51 AM) --a------
GOUDYOSN.TTF (61592 bytes, created: 11/30/1998 10:51 AM) --a------
GOUDYSTO.TTF (48356 bytes, created: 04/23/1996 02:48 PM) --a------
HARLOWN.TTF (95908 bytes, created: 08/10/1998 10:09 AM) --a------
HARLOWSI.TTF (51288 bytes, created: 09/15/1998 01:00 AM) --a------
HARNGTON.TTF (64816 bytes, created: 09/15/1998 01:00 AM) --a------
HARPOONN.TTF (38844 bytes, created: 08/10/1998 10:09 AM) --a------
HATTEN.TTF (101592 bytes, created: 07/05/1995 01:31 PM) --a------
helvsb75.TTF (48424 bytes, created: 02/25/1999 07:18 AM) --a------
Helvss75.ttf (48416 bytes, created: 01/03/1997 03:25 PM) --a------
HO.TTF (41292 bytes, created: 09/15/1998 01:00 AM) --a------
HOBON.TTF (50240 bytes, created: 12/15/1998 06:39 PM) --a------
impact.ttf (137448 bytes, created: 01/01/2007 02:14 PM) --a------
IMPRESSN.TTF (55728 bytes, created: 12/15/1998 06:40 PM) --a------
IMPRISHA.TTF (54980 bytes, created: 09/15/1998 01:00 AM) --a------
INFR011K.TTF (41916 bytes, created: 01/04/1999 11:03 PM) --a------
INFR011N.TTF (41572 bytes, created: 01/04/1999 11:03 PM) --a------
INFROMAN.TTF (71172 bytes, created: 09/15/1998 01:00 AM) --a------
ITCBLKAD.TTF (125656 bytes, created: 09/15/1998 01:00 AM) --a------
JOKERMAN.TTF (63784 bytes, created: 09/15/1998 01:00 AM) --a------
JUICE___.TTF (57452 bytes, created: 09/15/1998 01:00 AM) --a------
KABELN.TTF (37956 bytes, created: 12/23/1998 04:15 PM) --a------
KABELU.TTF (40632 bytes, created: 12/30/1998 12:15 AM) --a------
kartika.ttf (121452 bytes, created: 07/17/2004 11:39 AM) --a------
KAUFMANB.TTF (45044 bytes, created: 11/30/1998 10:51 AM) --a------
KAUFMANN.TTF (46888 bytes, created: 12/08/1998 06:22 AM) --a------
KEYPUNCN.TTF (35076 bytes, created: 08/10/1998 10:12 AM) --a------
KIDSN.TTF (55204 bytes, created: 08/10/1998 10:12 AM) --a------
LithosPro-Regular.otf (76600 bytes, created: 09/09/2005 01:11 AM) --a------
micross.ttf (461672 bytes, created: 01/01/2007 02:25 PM) --a------
MinionPro-Bold.otf (208868 bytes, created: 09/09/2005 01:11 AM) --a------
MinionPro-BoldIt.otf (249616 bytes, created: 09/09/2005 01:11 AM) --a------
MinionPro-It.otf (248448 bytes, created: 09/09/2005 01:11 AM) --a------
MinionPro-Regular.otf (204344 bytes, created: 09/09/2005 01:11 AM) --a------
MOD20.TTF (57064 bytes, created: 09/15/1998 01:00 AM) --a------
modern.fon (8704 bytes, created: 08/18/2001 07:00 AM) --a------
MONTAG.TTF (53088 bytes, created: 07/24/1996 05:35 PM) --a------
MOTTRFMN.TTF (64472 bytes, created: 08/10/1998 10:15 AM) --a------
MTCORSVA.TTF (157360 bytes, created: 09/25/1998 11:52 AM) --a------
MTEXTRA.TTF (7672 bytes, created: 08/10/1998 10:15 AM) --a------
MTSORTS.TTF (77408 bytes, created: 09/15/1998 01:00 AM) --a------
MTSORTS2.TTF (89108 bytes, created: 09/15/1998 01:00 AM) --a------
MURPHYS.TTF (63024 bytes, created: 08/30/1996 06:03 PM) --a------
MURYHILB.TTF (61880 bytes, created: 12/23/1998 04:17 PM) --a------
mvboli.ttf (40500 bytes, created: 08/18/2001 07:00 AM) --a------
NEVISNCN.TTF (84068 bytes, created: 08/10/1998 10:15 AM) --a------
NEWBASBI.TTF (50604 bytes, created: 12/08/1998 06:23 AM) --a------
NEWBASKB.TTF (50464 bytes, created: 12/08/1998 06:23 AM) --a------
NEWBASKI.TTF (51772 bytes, created: 12/08/1998 06:23 AM) --a------
NEWBASKN.TTF (51552 bytes, created: 12/08/1998 06:23 AM) --a------
NEWGOTLI.TTF (38376 bytes, created: 01/04/1999 10:59 PM) --a------
NEWSGOTI.TTF (37876 bytes, created: 11/30/1998 10:52 AM) --a------
NEWSGOTL.TTF (36564 bytes, created: 01/04/1999 10:59 PM) --a------
NICOLANI.TTF (57336 bytes, created: 08/10/1998 10:16 AM) --a------
NICOLASK.TTF (60060 bytes, created: 08/10/1998 10:16 AM) --a------
NICOLASN.TTF (60360 bytes, created: 08/10/1998 10:16 AM) --a------
NORMANDI.TTF (49416 bytes, created: 12/23/1998 04:17 PM) --a------
NORMANDN.TTF (44496 bytes, created: 12/23/1998 04:17 PM) --a------
Nowdance.ttf (41264 bytes, created: 04/27/1998 02:13 AM) --a------
NuevaStd-Bold.otf (56312 bytes, created: 09/09/2005 01:11 AM) --a------
NuevaStd-BoldItalic.otf (56184 bytes, created: 09/09/2005 01:11 AM) --a------
NuevaStd-Italic.otf (56032 bytes, created: 09/09/2005 01:11 AM) --a------
NuevaStd-Regular.otf (55760 bytes, created: 09/09/2005 01:11 AM) --a------
NUPTUALN.TTF (54700 bytes, created: 12/23/1998 04:17 PM) --a------
OCRAEXT.TTF (47996 bytes, created: 09/15/1998 01:00 AM) --a------
OLDENGL.TTF (87740 bytes, created: 03/11/1998 10:05 PM) --a------
OLTN536N.TTF (57068 bytes, created: 08/10/1998 10:17 AM) --a------
ONYX.TTF (75116 bytes, created: 09/15/1998 01:00 AM) --a------
ORBITBN.TTF (49644 bytes, created: 12/08/1998 06:22 AM) --a------
OZHANDIN.TTF (50648 bytes, created: 11/16/1998 06:12 AM) --a------
pala.ttf (489884 bytes, created: 08/18/2001 07:00 AM) --a------
palab.ttf (434004 bytes, created: 08/18/2001 07:00 AM) --a------
palabi.ttf (344288 bytes, created: 08/18/2001 07:00 AM) --a------
palai.ttf (430800 bytes, created: 08/18/2001 07:00 AM) --a------
PALSCRI.TTF (46376 bytes, created: 09/15/1998 01:00 AM) --a------
PAPYRUS.TTF (156000 bytes, created: 09/15/1998 01:00 AM) --a------
PARKPLC.TTF (44268 bytes, created: 07/24/1996 05:50 PM) --a------
PENTIP.TTF (50272 bytes, created: 07/24/1996 05:50 PM) --a------
PEPITA.TTF (48164 bytes, created: 09/15/1998 01:00 AM) --a------
PEPPERN.TTF (37916 bytes, created: 08/10/1998 10:17 AM) --a------
PER_____.TTF (50308 bytes, created: 09/15/1998 01:00 AM) --a------
PERB____.TTF (51172 bytes, created: 09/15/1998 01:00 AM) --a------
PERBI___.TTF (70324 bytes, created: 09/15/1998 01:00 AM) --a------
PERTIBD.TTF (39628 bytes, created: 09/15/1998 01:00 AM) --a------
PERTILI.TTF (36192 bytes, created: 09/15/1998 01:00 AM) --a------
PIONEERN.TTF (37304 bytes, created: 12/08/1998 06:22 AM) --a------
PLAYBILL.TTF (40536 bytes, created: 09/15/1998 01:00 AM) --a------
PoplarStd.otf (35304 bytes, created: 09/09/2005 01:11 AM) --a------
PRESDNTN.TTF (38140 bytes, created: 08/10/1998 10:18 AM) --a------
PRISTINA.TTF (76824 bytes, created: 09/15/1998 01:00 AM) --a------
PSTRBODN.TTF (46492 bytes, created: 12/11/1998 02:10 PM) --a------
PTBARNMN.TTF (41124 bytes, created: 11/30/1998 10:57 AM) --a------
QUIKSLVN.TTF (98556 bytes, created: 08/10/1998 10:18 AM) --a------
QUILSCRN.TTF (56332 bytes, created: 08/10/1998 10:18 AM) --a------
QUORUMK.TTF (47696 bytes, created: 01/04/1999 11:00 PM) --a------
QUORUML.TTF (45616 bytes, created: 01/04/1999 11:00 PM) --a------
QUORUMM.TTF (46336 bytes, created: 01/04/1999 11:00 PM) --a------
raavi.ttf (57348 bytes, created: 08/18/2001 07:00 AM) --a------
RAGE.TTF (124932 bytes, created: 09/15/1998 01:00 AM) --a------
Remember.ttf (47944 bytes, created: 04/24/1998 09:55 PM) --a------
RIBN131B.TTF (46092 bytes, created: 12/23/1998 05:22 PM) --a------
RIBN131N.TTF (47472 bytes, created: 12/11/1998 02:10 PM) --a------
ROCC____.TTF (48112 bytes, created: 09/15/1998 01:00 AM) --a------
ROCCB___.TTF (50004 bytes, created: 09/15/1998 01:00 AM) --a------
ROCK.TTF (65144 bytes, created: 09/15/1998 01:00 AM) --a------
ROCKB.TTF (63016 bytes, created: 09/15/1998 01:00 AM) --a------
ROCKBI.TTF (68284 bytes, created: 09/15/1998 01:00 AM) --a------
ROCKEB.TTF (48084 bytes, created: 09/15/1998 01:00 AM) --a------
ROCKI.TTF (71232 bytes, created: 09/15/1998 01:00 AM) --a------
roman.fon (13312 bytes, created: 08/18/2001 07:00 AM) --a------
SCHADWB.TTF (52228 bytes, created: 01/04/1999 11:03 PM) --a------
SCHADWK.TTF (42296 bytes, created: 01/04/1999 11:03 PM) --a------
SCHADWKC.TTF (41376 bytes, created: 01/04/1999 11:03 PM) --a------
SCHADWL.TTF (40624 bytes, created: 01/04/1999 11:03 PM) --a------
SCHADWLI.TTF (42796 bytes, created: 12/30/1998 12:15 AM) --a------
SCHADWN.TTF (40664 bytes, created: 12/30/1998 12:15 AM) --a------
Schindler light.ttf (80544 bytes, created: 08/04/1999 01:00 PM) --a------
Schindler small caps.ttf (81340 bytes, created: 08/04/1999 01:00 PM) --a------
Schindler.ttf (79364 bytes, created: 08/04/1999 01:00 PM) --a------
SCHWRZW.TTF (46308 bytes, created: 07/24/1996 06:19 PM) --a------
script.fon (12288 bytes, created: 08/18/2001 07:00 AM) --a------
SCRIPTBL.TTF (49804 bytes, created: 09/15/1998 01:00 AM) --a------
SEAGULLB.TTF (48824 bytes, created: 12/23/1998 04:17 PM) --a------
SEAGULLH.TTF (49456 bytes, created: 12/23/1998 04:17 PM) --a------
SEAGULLL.TTF (48860 bytes, created: 12/23/1998 04:17 PM) --a------
SEAGULLM.TTF (49092 bytes, created: 12/23/1998 04:17 PM) --a------
SERIFAB.TTF (39628 bytes, created: 01/04/1999 10:59 PM) --a------
SERIFAI.TTF (40236 bytes, created: 01/04/1999 10:59 PM) --a------
SERIFAN.TTF (39440 bytes, created: 01/04/1999 10:59 PM) --a------
SERIFAT.TTF (38148 bytes, created: 01/04/1999 10:59 PM) --a------
serife.fon (57936 bytes, created: 08/18/2001 07:00 AM) --ah-----
SHOTGUNK.TTF (51024 bytes, created: 01/06/1999 10:32 AM) --a------
SHOTGUNN.TTF (34276 bytes, created: 12/23/1998 04:15 PM) --a------
shruti.ttf (234280 bytes, created: 08/18/2001 07:00 AM) --a------
SLOGANN.TTF (60916 bytes, created: 08/10/1998 10:20 AM) --a------
smalle.fon (26112 bytes, created: 08/18/2001 07:00 AM) --ah-----
SNAP____.TTF (57760 bytes, created: 09/15/1998 01:00 AM) --a------
SNELLB.TTF (64000 bytes, created: 08/10/1998 10:20 AM) --a------
SNELLK.TTF (70520 bytes, created: 08/10/1998 10:21 AM) --a------
SNELLN.TTF (66228 bytes, created: 08/10/1998 10:21 AM) --a------
SOUVNRD.TTF (54296 bytes, created: 12/08/1998 06:22 AM) --a------
SOUVNRDI.TTF (52672 bytes, created: 12/08/1998 06:22 AM) --a------
SOUVNRL.TTF (54420 bytes, created: 12/08/1998 06:21 AM) --a------
SOUVNRLI.TTF (55000 bytes, created: 12/08/1998 06:22 AM) --a------
sserife.fon (64656 bytes, created: 08/18/2001 07:00 AM) --ah-----
STAC222N.TTF (119528 bytes, created: 12/23/1998 04:17 PM) --a------
STAC555N.TTF (56420 bytes, created: 12/08/1998 06:23 AM) --a------
STENCIL.TTF (48732 bytes, created: 09/15/1998 01:00 AM) --a------
STRS-STR.TTF (57480 bytes, created: 07/24/1996 07:09 PM) --a------
STUYVESN.TTF (66412 bytes, created: 12/23/1998 04:17 PM) --a------
SWZ911UC.TTF (38244 bytes, created: 12/30/1998 06:15 AM) --a------
SWZ911XC.TTF (38412 bytes, created: 12/30/1998 12:15 AM) --a------
sylfaen.ttf (221676 bytes, created: 08/18/2001 07:00 AM) --a------
symbol.ttf (69464 bytes, created: 08/18/2001 07:00 AM) --a------
symbole.fon (56336 bytes, created: 08/18/2001 07:00 AM) --ah-----
tahoma.ttf (383804 bytes, created: 01/01/2007 02:26 PM) --a------
tahomabd.ttf (355680 bytes, created: 01/01/2007 02:26 PM) --a------
TANGON.TTF (58732 bytes, created: 01/04/1999 11:03 PM) --a------
TCB_____.TTF (67232 bytes, created: 09/15/1998 01:00 AM) --a------
TCBI____.TTF (65664 bytes, created: 09/15/1998 01:00 AM) --a------
TCCB____.TTF (58044 bytes, created: 09/15/1998 01:00 AM) --a------
TCCEB.TTF (66744 bytes, created: 09/15/1998 01:00 AM) --a------
TCCM____.TTF (60444 bytes, created: 09/15/1998 01:00 AM) --a------
TCM_____.TTF (69852 bytes, created: 09/15/1998 01:00 AM) --a------
TCMI____.TTF (70788 bytes, created: 09/15/1998 01:00 AM) --a------
TECHNICI.TTF (41788 bytes, created: 08/10/1998 10:23 AM) --a------
TECHNICN.TTF (39852 bytes, created: 08/10/1998 10:23 AM) --a------
TektonPro-Bold.otf (80020 bytes, created: 09/09/2005 01:11 AM) --a------
TektonPro-BoldObl.otf (80164 bytes, created: 09/09/2005 01:11 AM) --a------
TektonPro-Obl.otf (79536 bytes, created: 09/09/2005 01:11 AM) --a------
TektonPro-Regular.otf (79500 bytes, created: 09/09/2005 01:11 AM) --a------
TEMPSITC.TTF (69548 bytes, created: 09/15/1998 01:00 AM) --a------
Thanks.ttf (35876 bytes, created: 04/25/1998 11:13 PM) --a------
THUNDRBN.TTF (66792 bytes, created: 12/08/1998 06:22 AM) --a------
TIFANYD.TTF (58340 bytes, created: 01/04/1999 10:59 PM) --a------
TIFANYDI.TTF (59008 bytes, created: 01/04/1999 10:59 PM) --a------
TIFANYH.TTF (55124 bytes, created: 01/04/1999 10:59 PM) --a------
TIFANYHI.TTF (59620 bytes, created: 01/04/1999 10:59 PM) --a------
TIFANYL.TTF (57596 bytes, created: 01/04/1999 10:59 PM) --a------
TIFANYLI.TTF (61156 bytes, created: 01/04/1999 10:59 PM) --a------
times.ttf (409280 bytes, created: 07/17/2004 11:39 AM) --a------
timesbd.ttf (398372 bytes, created: 07/17/2004 11:39 AM) --a------
timesbi.ttf (239692 bytes, created: 08/18/2001 07:00 AM) --a------
TIMESCRB.TTF (58872 bytes, created: 08/10/1998 10:24 AM) --a------
TIMESCRL.TTF (62908 bytes, created: 08/10/1998 10:24 AM) --a------
TIMESCRM.TTF (57664 bytes, created: 08/10/1998 10:24 AM) --a------
timesi.ttf (248368 bytes, created: 08/18/2001 07:00 AM) --a------
TrajanPro-Regular.otf (66484 bytes, created: 09/09/2005 01:11 AM) --a------
TRAN521B.TTF (46704 bytes, created: 12/15/1998 06:40 PM) --a------
TRAN521I.TTF (48592 bytes, created: 12/15/1998 06:40 PM) --a------
TRAN521N.TTF (48120 bytes, created: 12/15/1998 06:40 PM) --a------
trebuc.ttf (134108 bytes, created: 07/17/2004 11:39 AM) --a------
trebucbd.ttf (123096 bytes, created: 08/18/2001 07:00 AM) --a------
trebucbi.ttf (131188 bytes, created: 08/18/2001 07:00 AM) --a------
trebucit.ttf (139288 bytes, created: 08/18/2001 07:00 AM) --a------
tunga.ttf (148624 bytes, created: 01/01/2007 02:24 PM) --a------
TYPOUPRN.TTF (56776 bytes, created: 12/15/1998 06:40 PM) --a------
VACATION.TTF (26400 bytes, created: 09/15/1998 01:00 AM) --a------
VAGBND.TTF (38564 bytes, created: 07/24/1996 07:19 PM) --a------
VAGROLN.TTF (45080 bytes, created: 01/07/1999 05:26 AM) --a------
VAGRON.TTF (42196 bytes, created: 12/15/1998 06:40 PM) --a------
VANDIJKB.TTF (38308 bytes, created: 08/10/1998 10:25 AM) --a------
VANDIJKN.TTF (37756 bytes, created: 08/10/1998 10:25 AM) --a------
verdana.ttf (171792 bytes, created: 07/17/2004 11:39 AM) --a------
verdanab.ttf (137616 bytes, created: 08/18/2001 07:00 AM) --a------
verdanai.ttf (155076 bytes, created: 08/18/2001 07:00 AM) --a------
verdanaz.ttf (154800 bytes, created: 08/18/2001 07:00 AM) --a------
VINERITC.TTF (100104 bytes, created: 09/15/1998 01:00 AM) --a------
VIVALDII.TTF (58928 bytes, created: 03/06/1996 03:44 PM) --a------
VIVALDIN.TTF (64240 bytes, created: 08/10/1998 10:25 AM) --a------
VLADIMIR.TTF (49928 bytes, created: 09/15/1998 01:00 AM) --a------
VLADMRSN.TTF (63068 bytes, created: 08/10/1998 10:25 AM) --a------
vrinda.ttf (252820 bytes, created: 07/17/2004 11:39 AM) --a------
webdings.ttf (118752 bytes, created: 08/18/2001 07:00 AM) --a------
Wholly.ttf (9788 bytes, created: 03/26/1997 05:33 AM) --a------

==============================

Contents of C:\WINDOWS\FontsWhollyGenes (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

Alinetmg.ttf (12992 bytes, created: 04/09/2003 12:14 PM) --a------
helvsb75.TTF (48424 bytes, created: 02/25/1999 07:18 AM) --a------
Helvss75.ttf (48416 bytes, created: 01/03/1997 03:25 PM) --a------
Wholly.ttf (9788 bytes, created: 03/26/1997 05:33 AM) --a------

==============================

Contents of C:\Program Files\TimezAttack (inc. hidden/system files/folders)

---FOLDERS---

TimezAttack.app (created: 06/05/2008 12:30 PM) d--------
TimezAttackData (created: 06/05/2008 12:32 PM) d--------

---FILES---

ErrorReporter.exe (1171456 bytes, created: 06/05/2008 12:30 PM) --a------
TimezAttackAdmin.exe (2482176 bytes, created: 06/05/2008 12:30 PM) --a------
Uninstaller.exe (1134592 bytes, created: 06/05/2008 12:30 PM) --a------

==============================

=EOF=

--------------------------------------------------------------------

Clicked Start/ run and entered your line as:

"%userprofile%\desktop\dss.exe" /daft

error message was returned that dss.exe was not there. I checked and it is not there. rand DSS again and checked to see if DSS was there now. I was not. The only DSS listing is:

C:\WINDOWS\Downloaded Files\dss.exe

"C:\WINDOWS\Downloaded Files\dss.exe\dss.exe" /daft

So entered the line above and all proceeded as you predicted.

draft.txt content is as follows:

DAFT Log saved on 2008-08-01 17:42:21
-----------------------------------------------------------------------
All associations okay!

----------------------------------------------------------

The HiJack time was correct

------------------------------------------------------------

I want to repeat that in your instructions to DirLook there was a code box with four lines. Showing in the forum screen was four lines of the weird characters. When I copied them (from the box) and pasted them in Wordpad they changed to text characters...

C:\WINDOWS\system32\runtime
C:\WINDOWS\Fonts Temp APS Repair
C:\WINDOWS\FontsWhollyGenes
C:\Program Files\TimezAttack

----------------------------------------------------------
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 2nd, 2008, 3:54 am

Hello bottoson,

What language is your Windows?

I can see them properly, maybe something in your Regional settings, created the strange characters, but as i believe you can see properly all the rest of my instructions that looks strange.

I want to experiment on something and tell me if you see any of my examples with strange characters. I will post a code and a quote box, tell me if you can see both contents properly or in strange characters, and which box.

1st example
Code: Select all
C:\Program Files\AskSBar
C:\Program Files\keyfinder
C:\KeyFinder

2nd example
C:\Program Files\AskSBar
C:\Program Files\keyfinder
C:\KeyFinder

----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\runtime

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Do the same for these 3 files:
C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
C:\Program Files\UFTREE.GID
c:\documents and settings\bill\application data\pc magazine utilities\taskpower\drivers\listopenedfiledrv.sys
----------------------------------------------
WinPatrol

I need you to disable WinPatrol, so it will not create problems with my fix.
Right click on Scotty (Win Patrol) icon on your task bar and click on exit.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O9 - Extra button: (no name) - AutorunsDisabled - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
C:\Program Files\AskSBar
C:\Program Files\keyfinder
C:\KeyFinder

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
----------------------------------------------
Post back:
Jotti results
OTMoveIt2 results
A new HijackThis log.
Answer to my experiment question.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 2nd, 2008, 11:40 am

My Windows is in English

The first box has the strange characters

The second box has text characters

I will proceed now with the instructions you listed.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 2nd, 2008, 12:25 pm

Ok, thank you, please copy them as they are even if you see them strange characters. ;)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 2nd, 2008, 12:46 pm

C:\WINDOWS\system32\runtime in http://virusscan.jotti.org/
resulted in the return: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
---------------------------------------------------------------------------------------
Scan performed on: C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT gave status as OK
Scan taken on 02 Aug 2008 15:53:23 (GMT) A-Squared
Found nothing AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing CPsecure
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing F-Secure Anti-Virus
Found nothing Fortinet
Found nothing Ikarus
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing Panda Antivirus
Found nothing Sophos Antivirus
Found nothing VirusBuster
Found nothing VBA32
Found nothing
-------------------------------------------------------------
Last file scanned at least one scanner reported something about: serverPk.exe (MD5: 0d6efe1b2fdd49ef4f47131445b7b068, size: 54385 bytes), detected by:

Scanner Malware name
A-Squared Backdoor.Win32.Bifrose.adr
AntiVir BDS/Bifrose.Gen
ArcaVir Riskware.Constructor.Microjoiner.17
Avast Win32:Bifrose-PV
AVG Antivirus BackDoor.Generic9.AJBX
BitDefender Trojan.Genlot.Cep.SVR
ClamAV PUA.Packed.Expressor-1
CPsecure Troj.Dropper.W32.Small.auj
Dr.Web BackDoor.Bifrost
F-Prot Antivirus W32/Bifrost.AJP
F-Secure Anti-Virus X
Fortinet X
Ikarus Packer.Expressor.B
Kaspersky Anti-Virus Backdoor.Win32.Bifrose.aci
NOD32 Win32/Bifrose.ADR
Norman Virus Control Hupigon.gen83
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Backdoor.Win32.Bifrose.fba
-------------------------------------------------------
Scan results on File: UFTREE.GID
Status: OK
MD5: 930dbffede10fa1ff08fbf5c40411c0c
Packers detected: -
-------------------------------------------------------------
Scan taken on 02 Aug 2008 16:07:54 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
------------------------------------------------
Scanner Malware name
A-Squared X
AntiVir TR/Rootkit.Gen
ArcaVir Worm.Gaobot.Gen.8338.MX
Avast Win32:Agent-ZFQ
AVG Antivirus BackDoor.Generic9.AUBL
BitDefender Trojan.Spy.Goldun.NCQ
ClamAV X
CPsecure X
Dr.Web Trojan.PWS.GoldSpy.2164
F-Prot Antivirus W32/Goldun.gen3
F-Secure Anti-Virus X
Fortinet X
Ikarus Rootkit.Win32.Agent.ang
Kaspersky Anti-Virus Rootkit.Win32.Agent.ang
NOD32 a variant of Win32/Spy.Goldun.WP
Norman Virus Control X
Panda Antivirus Trj/Goldun.NN
Sophos Antivirus Troj/Haxdor-Gen
VirusBuster X
VBA32 Rootkit.Win32.Agent.ang
--------------------------------------------------------------
Scan results for c:\documents and settings\bill\application data\pc magazine utilities\taskpower\drivers\listopenedfiledrv.sys
-----------------------------------------
Scan taken on 02 Aug 2008 16:13:51 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-------------------------------------------
Last file scanned at least one scanner reported something about: SnapMeasure.v1.6.for.Illustrator.Keygen.exe (MD5: 59c60bf0181eb15a9a51d6a64c8631f2, size: 114208 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Crypt.XPACK.Gen
ArcaVir X
Avast Win32:Tipa
AVG Antivirus Dropper.Kbind.H
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
--------------------------------------------------
Results from OTMoveIt2
C:\Program Files\AskSBar\SrchAstt\1.bin moved successfully.
C:\Program Files\AskSBar\SrchAstt moved successfully.
C:\Program Files\AskSBar\bar\Settings moved successfully.
C:\Program Files\AskSBar\bar\History moved successfully.
C:\Program Files\AskSBar\bar\Cache moved successfully.
C:\Program Files\AskSBar\bar\1.bin moved successfully.
C:\Program Files\AskSBar\bar moved successfully.
C:\Program Files\AskSBar moved successfully.
C:\Program Files\keyfinder moved successfully.
C:\KeyFinder moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08022008_112948
-----------------------------------
HiJack This Log: System Only
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:23 AM, on 8/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Maxtor\Utils\MaxSync.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11440 bytes
-----------------------------------------------I believe this includes everything in your instructions

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 3rd, 2008, 3:56 am

Hello bottoson,

Thanks for the reports.

After my experiment i want to ask you something since first time i have a user seeing strange characters in my posts and i want to know what is going on.

When you sign in the forum after you get an email that i posted, and you see my post, do you see strange characters?

Do you copy all my instructions to wordpad, and then start executing them?
If yes that is the problem. Notepad should be used for that.

Let's continue with our fix now, we are almost there.
----------------------------------------------
OTMoveIt2

  • Double-click OTMoveIt2.exe. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\system32\runtime

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
----------------------------------------------
JAVA INSTALLATION
Please make sure that all programs are closed when installing Java.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 7.
  • Click the Download button to the right.
  • Select Windows from the drop-down list for Platform.
  • Check the box that says: Accept License Agreement and Continue.
  • The page will refresh.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
  • Reboot your computer.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
If you use Microsoft Outlook, and you get other contents in strange characters, the settings for the mail format should be in Rich Text. To do that open Microsoft Outlook, go Tools, Options, Mail Format, and change it to Rich Text.
----------------------------------------------
Post back:
OTMoveIt2 results.
Kaspersky report.
A new HijackThis log.
Try to send an email and tell me if you get that text which you posted when you asked for help.
Tell me how the pc is running.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 3rd, 2008, 3:43 pm

A quick reply to your opening statement.

I see the strange characters on your site, not in WordPad. In fact they change to text characters when copied to WordPad.

Again I think the cause is being in html mode. I think they do not produce in text mode.

I will use NotePad from now on.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware