Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Destructor 4.5

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Destructor 4.5

Unread postby jp29598 » September 23rd, 2007, 5:00 pm

When surfing the web, I downloaded & installed Malware Destructor 4.5 by mistake. I removed the program from my computer, but I can't get rid of the the popup in the taskbar in the lower right corner near the clock. A red "x" keeps blinking and a popup intermittently comes up saying that traces of spyware are on my computer.

I ran SpyBot, Ad-ware, a-squared, and my virus program...all seems to be clear.

Could you tell me how to eliminate the Malware popup near the clock?

Thank you.
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm
Advertisement
Register to Remove

Unread postby beynac » September 23rd, 2007, 5:07 pm

Good evening.

Please download HJTInstall.exe and save it to your desktop
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware 4.5

Unread postby jp29598 » September 23rd, 2007, 5:13 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:56 PM, on 9/23/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mssecc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6024 bytes
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 23rd, 2007, 6:09 pm

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Run AVG Anti-Spyware:

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
-----------------------------------------------------------------

Reboot in Normal Mode.

--------------------------------------------------------------

Please post the following as a reply to this thread:
  • The AVG Anti-Spyware report
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware Destructor 4.5

Unread postby jp29598 » September 23rd, 2007, 7:41 pm

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:32:39 PM 9/23/2007

+ Scan result:



C:\Users\Jerry Phillipps\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Jerry Phillipps\AppData\Local\Temp\IDC1.tmp\[1]ultrashim[1].cab/Install.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@chicagosuntimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@dailyheraldpaddockpublication.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@leeenterprises.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@mcclatchy.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@stampscom.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@upi.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@usatoday1.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@waterfrontmedia.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ads.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@e-2dj6wgkykmd5igp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg-darksideprod.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg-intuit.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg-lormaneducational.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg-viacom.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@www.safer-networking[1].txt -> TrackingCookie.Safer-networking : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@bfm.valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.28:C:\Users\Jerry Phillipps\AppData\Roaming\Mozilla\Firefox\Profiles\00lxqeq6.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry phillipps@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\jerry_phillipps@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Users\Jerry Phillipps\AppData\Roaming\Microsoft\Windows\Cookies\Low\jerry_phillipps@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:56 PM, on 9/23/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mssecc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6024 bytes
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 24th, 2007, 4:27 am

Good morning.

Submit File to Jotti

Please click on http://virusscan.jotti.org/
Use the "Browse" button and locate the following file on your computer:

C:\WINDOWS\system32\mssecc.exe

Click the "Submit" button.
Please copy and paste the results, as a reply to this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

----------------------------------------------------------

Deckard's System Scanner (DSS)

Download Deckard's System Scanner (DSS) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Please post the contents of main.txt and the extra.txt in your next reply.
Note: Apart from producing the reports, the scanner will also:
  • create a new System Restore point in Windows XP
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • run HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
--------------------------------------------------------

Please post the following as a reply to this thread:
  • The results of the Jotti/VirusTotal scan
  • The Deckard's System Scanner reports (main.txt and extra.txt)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware Destructor 4.5

Unread postby jp29598 » September 24th, 2007, 2:01 pm

The Jotti results are:

Service load: 0% 100%

File: mssecc.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5: d8448d55234122359114a170c7f51f14
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 24 Sep 2007 17:53:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.Downloader (probable variant)
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: Acid_Cookie.exe (MD5: 4e669efcf1aa38f96cfe399f318a93c6, size: 2199317 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Spy.Win32.ProAgent.20
AntiVir TR/Spy.ProAgen.20.3
ArcaVir X
Avast Win32:Small-AKS
AVG Antivirus PSW.Generic.BFX
BitDefender Trojan.Spy.ProAgent.20
ClamAV Trojan.ProAgent.20-1
CPsecure Troj.Dropper.W32.Delf.ud
Dr.Web Trojan.ProAgent.20
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Spy.Win32.ProAgent.20
Fortinet W32/ProAgent.DR!tr
Kaspersky Anti-Virus Trojan-Spy.Win32.ProAgent.20
NOD32 Win32/Spy.ProAgent.20
Norman Virus Control W32/Suspicious_F.gen
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Packer
VirusBuster X
VBA32 Trojan-Spy.Win32.ProAgent.20


DDS is forthcoming...Thanks
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Malware Destructor 4.5 - DDS Results

Unread postby jp29598 » September 24th, 2007, 2:28 pm

Deckard's System Scanner v20070905.67
Run by Jerry Phillipps on 2007-09-24 11:08:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
15: 2007-09-24 14:19:05 UTC - RP152 - Scheduled Checkpoint
14: 2007-09-23 17:26:22 UTC - RP151 - Installed Ad-Aware 2007
13: 2007-09-23 01:22:37 UTC - RP150 - Scheduled Checkpoint
12: 2007-09-21 13:26:28 UTC - RP149 - Windows Update
11: 2007-09-20 19:27:28 UTC - RP148 - Scheduled Checkpoint


-- First Restore Point --
1: 2007-09-12 18:16:57 UTC - RP138 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jerry Phillipps.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:41 AM, on 9/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mssecc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mssecc.exe
C:\Users\Jerry Phillipps\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jerry Phillipps.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6323 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 mrtRate - c:\windows\system32\drivers\mrtrate.sys <Not Verified; Marimba, Inc.; Rate Sensing Manager>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 AvgWFP (AVG7 Firewall Driver x86) - c:\windows\system32\drivers\avgwfp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>
S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-24 10:56:33 438 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{1AE1D3A8-5AEB-4BBF-8E66-1296D774260B}.job


-- Files created between 2007-08-24 and 2007-09-24 -----------------------------

2007-09-23 14:11:43 0 d-------- C:\Program Files\Trend Micro
2007-09-23 11:20:56 0 d-------- C:\Program Files\a-squared Free
2007-09-23 10:26:54 0 d-------- C:\Users\All Users\Lavasoft
2007-09-23 10:26:54 0 d-------- C:\Program Files\Lavasoft
2007-09-23 10:25:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-23 09:25:43 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-09-22 16:58:19 12800 --a------ C:\Windows\system32\mssecc.exe


-- Find3M Report ---------------------------------------------------------------

2007-09-24 08:42:47 0 d-------- C:\Users\Jerry Phillipps\AppData\Roaming\AVG7
2007-09-23 15:32:49 0 d-------- C:\Users\Jerry Phillipps\AppData\Roaming\Grisoft
2007-09-23 10:25:44 0 d-------- C:\Program Files\Common Files
2007-09-13 11:43:25 0 d-------- C:\Program Files\Windows Mail
2007-08-16 22:06:53 0 d-------- C:\Program Files\Stamps.com Internet Postage
2007-08-09 22:27:20 174 --ahs---- C:\Program Files\desktop.ini
2007-08-09 21:57:52 0 d-------- C:\Program Files\Windows Calendar
2007-08-09 15:37:20 0 d-------- C:\Program Files\MarketSharp Software
2007-08-09 15:37:00 0 d-------- C:\Program Files\Common Files\Outlook Security Manager


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/31/2007 08:10 AM]
"CTHelper"="CTHELPER.EXE" [05/10/2007 04:51 PM C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [05/10/2007 04:52 PM C:\Windows\System32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05/26/2007 12:45 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/13/2007 11:38 AM]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [01/30/2006 09:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 01:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 01:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 01:15 PM]
"Windows SysNotify"="C:\Windows\system32\mssecc.exe" [09/22/2007 04:58 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [11/02/2006 05:35 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [6/10/2007 1:09:14 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/30/2007 02:30 AM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4368a465-0e74-11dc-8593-806e6f6e6963}]
AutoRun\command- E:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-09-24 11:19:18 ------------








Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.40GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1534.43 MiB / 862.84 MiB
Pagefile Memory (total/avail): 3515.25 MiB / 2459.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.94 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.75 GiB total, 76.13 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3120023A ATA Device - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 111.75 GiB - C:

\\.\PHYSICALDRIVE2 - HP Officejet 6310 USB Device

\\.\PHYSICALDRIVE1 - SanDisk ImageMate II USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.488 v7.5.488 (GRISOFT)
AS: Spybot - Search and Destroy v1.0.0.4 (Safer Networking Ltd.)
AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Jerry Phillipps\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JERRY-BJOXQH46X
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Jerry Phillipps
LOCALAPPDATA=C:\Users\Jerry Phillipps\AppData\Local
LOGONSERVER=\\JERRY-BJOXQH46X
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JERRYP~1\AppData\Local\Temp
TMP=C:\Users\JERRYP~1\AppData\Local\Temp
USERDOMAIN=JERRY-BJOXQH46X
USERNAME=Jerry Phillipps
USERPROFILE=C:\Users\Jerry Phillipps
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Jerry Phillipps


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9 /remove
a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative Sound Blaster Properties --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9 /remove
DAO --> MsiExec.exe /I{61E1C9F0-3AFE-11D3-9F4B-006008A88EC8}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Discover Visio® 2000 Interactive Training --> C:\PROGRA~1\DISCOV~1\UNWISE.EXE C:\PROGRA~1\DISCOV~1\INSTALL.LOG
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
iTunes --> MsiExec.exe /I{6E93572D-F31E-496F-8B2F-F400B3A2BC4E}
LaserJet 1020 series --> C:\Program Files\Zenographics\{8F4384AD-3F57-4782-9830-E0C8007B14AA}\setup.exe -u "HPLJInstaller.dll=Hpl_1020.inf"
Market$harp CE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FEE89FB0-B4E8-4C92-A33C-404E370282CD}\Setup.exe" -l0x9
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard 2007 --> MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\OALInst.exe" /U
OrderReminder HP LaserJet 1020 --> "C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
QBFC3.0 --> MsiExec.exe /X{5A847475-157F-45AD-9919-CD40D344B8B1}
QuickBooks Premier: Contractor Edition 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="contractor" QBFULLNAME="QuickBooks Premier: Contractor Edition 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
Quicken 2002 New User Edition --> C:\Windows\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Security Update for Excel 2007 (KB936509) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Sentinel System Driver 5.42.1 (32-bit) --> MsiExec.exe /I{F02598C2-2A5F-4593-8F09-439F3317B2C8}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stamps.com --> "C:\ProgramData\{75EE35BC-E993-41FD-9DBA-9AD37F50E521}\stamps.exe" REMOVE=TRUE MODIFY=FALSE
Stamps.com support for Intuit QuickBooks Pro 2004, Pro 2005, Premier 2005 --> "C:\ProgramData\{6E955AE8-0B79-4AB3-B0C5-1FA0F6D96669}\QBABPstmp.exe" REMOVE=TRUE MODIFY=FALSE
Stamps.com support for Microsoft Outlook 2000-2007 --> "C:\ProgramData\{8737778F-82C6-4680-A660-E8B2B8C8C22B}\MSOPIMstmp.exe" REMOVE=TRUE MODIFY=FALSE
Stamps.com support for Microsoft Outlook 97-2007 --> "C:\ProgramData\{D9AA4D17-9292-410D-9AA5-84526D062900}\MSOABPstmp.exe" REMOVE=TRUE MODIFY=FALSE
Stamps.com support for Microsoft Word 2000-2007 --> "C:\ProgramData\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.exe" REMOVE=TRUE MODIFY=FALSE
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Thomas Bros. Street Guide Digital Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{085FE193-B676-11D4-82BC-00A0C993905F}\Setup.exe" -l0x9 AnyText
Update for Office 2007 (KB932080) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb937833) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {ACB40B61-03E6-4F6F-AA5E-7B02A89E8AD3}
Update for Word 2007 (KB934173) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
Visio 2000 --> C:\Program Files\Common Files\Visio Shared\Vim.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9391 / Error
Event Submitted/Written: 09/24/2007 11:06:04 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application regsvr32.exe, version 6.0.6000.16386, time stamp 0x4549b3c7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000096, fault offset 0x00d02523,
process id 0x3bc, application start time 0xregsvr32.exe0.

Event Record #/Type9098 / Success
Event Submitted/Written: 09/24/2007 06:41:14 AM
Event ID/Source: 5617 / WinMgmt
Event Description:
Windows Management Instrumentation Service subsystems initialized successfully

Event Record #/Type9096 / Success
Event Submitted/Written: 09/24/2007 06:41:11 AM
Event ID/Source: 5615 / WinMgmt
Event Description:
Windows Management Instrumentation Service started sucessfully

Event Record #/Type9095 / Success
Event Submitted/Written: 09/24/2007 06:41:01 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type9078 / Warning
Event Submitted/Written: 09/23/2007 09:14:33 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-1614895754-73586283-839522115-1004_Classes:
Process 864 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1614895754-73586283-839522115-1004_CLASSES
Process 2044 (\Device\HarddiskVolume2\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1614895754-73586283-839522115-1004_CLASSES\Local Settings\software\microsoft\windows\shell\MuiCache



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32901 / Warning
Event Submitted/Written: 09/24/2007 11:10:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JERRY-BJOXQH46X27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JERRY-BJOXQH46X27 can't undo changes that you allow.

For more information please see the following:
%JERRY-BJOXQH46X275

Scan ID: {33DC2AA0-B549-4DA0-BD30-A913B5F6F253}

User: JERRY-BJOXQH46X\Jerry Phillipps

Name: %JERRY-BJOXQH46X271

ID: %JERRY-BJOXQH46X272

Severity ID: %JERRY-BJOXQH46X273

Category ID: %JERRY-BJOXQH46X274

Path Found: %JERRY-BJOXQH46X276

Alert Type: %JERRY-BJOXQH46X278

Detection Type: 1.1.1505.02

Event Record #/Type32900 / Warning
Event Submitted/Written: 09/24/2007 11:10:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JERRY-BJOXQH46X27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JERRY-BJOXQH46X27 can't undo changes that you allow.

For more information please see the following:
%JERRY-BJOXQH46X275

Scan ID: {30005F14-70C5-4E08-B12F-92D0882B0613}

User: JERRY-BJOXQH46X\Jerry Phillipps

Name: %JERRY-BJOXQH46X271

ID: %JERRY-BJOXQH46X272

Severity ID: %JERRY-BJOXQH46X273

Category ID: %JERRY-BJOXQH46X274

Path Found: %JERRY-BJOXQH46X276

Alert Type: %JERRY-BJOXQH46X278

Detection Type: 1.1.1505.02

Event Record #/Type32899 / Warning
Event Submitted/Written: 09/24/2007 11:10:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JERRY-BJOXQH46X27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JERRY-BJOXQH46X27 can't undo changes that you allow.

For more information please see the following:
%JERRY-BJOXQH46X275

Scan ID: {7685E21B-B0BB-4106-BF20-69CBC75D4E59}

User: JERRY-BJOXQH46X\Jerry Phillipps

Name: %JERRY-BJOXQH46X271

ID: %JERRY-BJOXQH46X272

Severity ID: %JERRY-BJOXQH46X273

Category ID: %JERRY-BJOXQH46X274

Path Found: %JERRY-BJOXQH46X276

Alert Type: %JERRY-BJOXQH46X278

Detection Type: 1.1.1505.02

Event Record #/Type32898 / Warning
Event Submitted/Written: 09/24/2007 11:10:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JERRY-BJOXQH46X27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JERRY-BJOXQH46X27 can't undo changes that you allow.

For more information please see the following:
%JERRY-BJOXQH46X275

Scan ID: {C38DD11D-9168-404D-985F-921C7669A906}

User: JERRY-BJOXQH46X\Jerry Phillipps

Name: %JERRY-BJOXQH46X271

ID: %JERRY-BJOXQH46X272

Severity ID: %JERRY-BJOXQH46X273

Category ID: %JERRY-BJOXQH46X274

Path Found: %JERRY-BJOXQH46X276

Alert Type: %JERRY-BJOXQH46X278

Detection Type: 1.1.1505.02

Event Record #/Type32892 / Warning
Event Submitted/Written: 09/24/2007 10:52:12 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JERRY-BJOXQH46X27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JERRY-BJOXQH46X27 can't undo changes that you allow.

For more information please see the following:
%JERRY-BJOXQH46X275

Scan ID: {71B95927-EEC0-4A5A-BE66-31D9FA3F2F9D}

User: JERRY-BJOXQH46X\Jerry Phillipps

Name: %JERRY-BJOXQH46X271

ID: %JERRY-BJOXQH46X272

Severity ID: %JERRY-BJOXQH46X273

Category ID: %JERRY-BJOXQH46X274

Path Found: %JERRY-BJOXQH46X276

Alert Type: %JERRY-BJOXQH46X278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2007-09-24 11:19:18 ------------
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 24th, 2007, 3:29 pm

First, we need to temporarily disable a couple of your protection programs, as they may interfere with our fix.

Disable Spybot's TeaTimer. This is a two step process.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Disable Windows Defender:
  • Open Windows Defender
  • Click Tools => General Settings
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • Click Save
  • Close Windows Defender
----------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Still in HijackThis:
  • Click on Config... (bottom right)
  • Click on Misc Tools (at the top)
  • Click on Delete a file on reboot...
  • Copy and paste the following into the "File name:" text box and then click Open: C:\Windows\system32\mssecc.exe
  • When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!

---------------------------------------------------------

After the reboot, please run another HijackThis scan and post the log. Please also let me know whether the popup has gone.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware Destructor 4.5

Unread postby jp29598 » September 24th, 2007, 4:19 pm

Hi & thanks for all your help!

The popup is still there. Also, it looks like HijackThis did not remove the file as directed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:41 AM, on 9/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mssecc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mssecc.exe
C:\Users\Jerry Phillipps\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jerry Phillipps.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6323 bytes
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Malware Detructor 4.5

Unread postby jp29598 » September 24th, 2007, 4:27 pm

Should I try the instructions in your last post again?
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 24th, 2007, 4:33 pm

Should I try the instructions in your last post again?

No. The log you have posted is the one that was part of the Deckard's log. Please run a new HijackThis scan and post the log.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Malware Destructor 4.5

Unread postby jp29598 » September 24th, 2007, 5:06 pm

I ran a new scan and this is the log...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:21 PM, on 9/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mssecc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows SysNotify] C:\Windows\system32\mssecc.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/microsoftup ... 0495054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0495041062
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8976304A-BEF7-4CDE-85E8-1BED2A5E7546}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{91A6908B-7909-4BC9-8881-94C0C7D32A4B}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6287 bytes
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm

Unread postby beynac » September 24th, 2007, 6:31 pm

The HijackThis fix and file deletion haven't worked. I don't use Vista and I therefore need to consult my colleagues to get some advice about how to proceed. Please bear with me - I will post again as soon as I can.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Maleware Destructor 4.5

Unread postby jp29598 » September 24th, 2007, 6:46 pm

Thanks for your reply...no problem!
jp29598
Active Member
 
Posts: 11
Joined: September 23rd, 2007, 4:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 364 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware