Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

computer plays 'tv show' in background

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

computer plays 'tv show' in background

Unread postby dporter64 » April 9th, 2008, 1:28 pm

My computer is playing what sounds like a TV show in the background. I have no windows open, but my task manager shows that an iexplorer process is running. This just started today and I did have a few viruses. My virus software was updated and ran and found a few items and cleaned or quarentined them, but I still get the item playing in the background and I get some pop-up ie pages at random. It did stop the automatic resetting of my homepage. This is my first post to your site, I did look through some of you posts to see if this was there.
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm
Advertisement
Register to Remove

Re: computer plays 'tv show' in background

Unread postby Scotty » April 10th, 2008, 5:50 pm

Hi

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. If asked to install HijackThis click on Yes
  4. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  5. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 11th, 2008, 8:51 pm

Deckard's System Scanner v20071014.68
Run by Danny on 2008-04-11 20:45:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Danny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:55 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GEICO\GSG\dsatray.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\TJRES2AR\dss[1].exe
C:\DOCUME~1\Danny\Desktop\HJT\Danny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GEICOSecurityGuard] C:\Program Files\GEICO\GSG\dsatray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-1292428093-1383384898-725345543-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/sc ... ecubes.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Ice%20Cream%20Tycoon/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4883503592
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1040085203
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Magic%20Ball%203/Images/armhelper.ocx
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.com/c ... lashAX.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: KbdRam - {6d717bf5-20bd-4439-b8bc-bb8d323e84a5} - C:\WINDOWS\Resources\KbdRam.dll
O21 - SSODL: SetupRam - {4f19f151-daae-4988-8c2e-dd5d003e5063} - C:\WINDOWS\Resources\SetupRam.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GEICO Security Guard (DsaServ) - GEICO - C:\Program Files\GEICO\GSG\DsaServ.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 11784 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ApiMon - c:\windows\system32\drivers\apimon.sys (file missing)
2 atksgt - c:\windows\system32\drivers\atksgt.sys
3 catchme - c:\docume~1\danny\locals~1\temp\catchme.sys (file missing)
2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
3 cusbohcn - c:\docume~1\danny\locals~1\temp\cusbohcn.sys (file missing)
3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
3 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
0 szkg - system32\drivers\szkg.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3 Boonty Games - c:\program files\common files\boonty shared\service\boonty.exe
2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
3 DsaServ (GEICO Security Guard) - c:\program files\geico\gsg\dsaserv.exe
3 ExtranetAccess (Contivity VPN Service) - c:\program files\nortel networks\extranet_serv.exe
3 GoogleDesktopManager - c:\program files\google\google desktop search\googledesktopmanager.exe (file missing)
2 tunnelguardservice (Nortel Networks TunnelGuard) - c:\program files\nortel networks\tunnelguard\cueagent_srv.exe
2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-09 10:24:58 0 d-------- C:\WINDOWS\ERUNT
2008-04-09 02:11:00 0 d-------- C:\Documents and Settings\Danny\Application Data\TmpRecentIcons
2008-04-09 00:39:00 0 d-------- C:\Documents and Settings\All Users\Application Data\mlknonat
2008-03-28 18:41:06 0 d-------- C:\Program Files\GameTap
2008-03-28 18:41:06 0 d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-03-28 08:35:56 0 d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-27 16:43:46 0 --a------ C:\Program Files\temp01
2008-03-25 08:34:15 4096 --a------ C:\WINDOWS\d3dx.dat
2008-03-23 09:15:27 0 d-------- C:\Documents and Settings\Danny\Application Data\Super-Cow
2008-03-21 10:01:18 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-21 10:00:13 0 d-------- C:\Program Files\PlayFirst


-- Find3M Report ---------------------------------------------------------------

2008-05-07 14:31:27 0 d-------- C:\Program Files\Common Files\Real
2008-04-11 20:47:23 0 d-------- C:\Documents and Settings\Danny\Application Data\uTorrent
2008-04-10 15:19:29 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-09 11:02:32 0 d-------- C:\Documents and Settings\Danny\Application Data\AVG7
2008-04-09 08:06:38 0 d-------- C:\Program Files\Java
2008-04-07 14:28:18 0 d-------- C:\Program Files\PokerStars
2008-03-28 18:41:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-28 08:35:35 0 d-------- C:\Documents and Settings\Danny\Application Data\PlayFirst
2008-03-27 16:43:45 0 d-------- C:\Program Files\bfgclient
2008-03-19 18:55:01 0 d-------- C:\Program Files\GameHouse
2008-03-10 23:43:26 0 d-------- C:\Program Files\Full Tilt Poker
2008-03-10 12:23:29 0 d-------- C:\Program Files\Air Battles
2008-03-09 13:17:28 0 d-------- C:\Program Files\Microsoft Works
2008-03-08 13:46:06 0 d-------- C:\Program Files\Google
2008-03-04 18:43:41 0 d-------- C:\Documents and Settings\Danny\Application Data\GameHouse
2008-03-03 11:07:35 0 d-------- C:\Program Files\BigIdea
2008-03-03 10:48:41 0 d-------- C:\Program Files\Winamp
2008-03-01 18:14:10 0 d-------- C:\Program Files\Apple Software Update
2008-03-01 18:13:18 0 d-------- C:\Program Files\Common Files
2008-02-23 11:23:15 0 d-------- C:\Documents and Settings\Danny\Application Data\SpinTop
2008-02-22 13:32:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-21 17:32:22 0 d-------- C:\Program Files\Aircraft POWERPACK II
2008-02-21 17:25:22 219 --a------ C:\Program Files\tempwp.log
2008-02-21 17:22:54 0 d-------- C:\Program Files\Common Files\merlin
2008-02-15 23:33:12 0 d-------- C:\Program Files\RedStarPoker
2008-02-15 21:12:52 0 d-------- C:\Program Files\Intel
2008-02-13 16:14:32 0 d-------- C:\Program Files\GEICO
2008-02-13 16:07:33 0 d-------- C:\Program Files\Nortel Networks
2008-02-13 16:06:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 18:43:24 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-02-07 18:43:24 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-02-07 18:43:23 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [04/09/2007 01:32 PM C:\WINDOWS\system32\CtHelper.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [01/07/2008 10:48 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 12:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 01:01 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 08:15 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 06:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"GEICOSecurityGuard"="C:\Program Files\GEICO\GSG\dsatray.exe" [08/17/2007 04:20 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [03/25/2004 01:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [03/05/2007 07:15 PM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 06:29 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [8/28/2006 5:16:46 PM]
TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2/13/2008 4:07:41 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdRam"= {6d717bf5-20bd-4439-b8bc-bb8d323e84a5} - C:\WINDOWS\Resources\KbdRam.dll [04/09/2008 12:38 AM 12330]
"SetupRam"= {4f19f151-daae-4988-8c2e-dd5d003e5063} - C:\WINDOWS\Resources\SetupRam.dll [04/09/2008 12:39 AM 12330]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-11 20:47:40 ------------

EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 57%
Physical Memory (total/avail): 2046.99 MiB / 869.23 MiB
Pagefile Memory (total/avail): 3942.46 MiB / 2827.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.74 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 223.51 GiB total, 114.26 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 149.05 GiB total, 28.44 GiB free.
G: is CDROM (No Media)
H: is Network (Unformatted)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Danny\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Danny
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0205
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Danny\LOCALS~1\Temp
TMP=C:\DOCUME~1\Danny\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=Danny
USERPROFILE=C:\Documents and Settings\Danny
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Danny (admin)
Administrator.HOME-RNLOFO8ADX (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{410438A3-B591-4028-B70A-3CC0B33FBCD1}\Setup.exe" -l0x9 -L0x9anything
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Air Battles: Sky Defender --> C:\PROGRA~1\AIRBAT~1\UNWISE.EXE C:\PROGRA~1\AIRBAT~1\tempwp.log
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avatar - The Last Airbender --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E67EDCA1-18E1-4136-ABF6-D21F2A129A46}\setup.exe" -l0x9 -uninst
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Big City Adventure SF --> C:\PROGRA~1\PLAYFI~1\BIGCIT~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\BIGCIT~1\INSTALL.LOG
Big Fish Games Client --> C:\Program Files\bfgclient\Uninstall.exe
Boohbah Zone --> C:\Program Files\Common Files\Polka Dot\Uninstall\BoohBahUn.exe
Bricks Of Egypt 2 --> "C:\Program Files\Oberon Media\Bricks Of Egypt 2\unins000.exe"
CDBurnerXP --> "C:\Program Files\CDBurnerXP\unins000.exe"
Chicken Little --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1D2E2C9C-5661-4383-945D-F6F787329B51}\Setup.exe" -l0x9 Chicken Little
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Photo Printer 720 Logger --> C:\Program Files\Dell Photo Printer 720\dlbcunst.exe
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell TrueMobile 2300 Control Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06B8DAD8-2809-475E-BA9D-C34479A0D58A}\Setup.exe" DTM23H
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Disney's Winnie the Pooh Preschool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09E26120-0322-11D5-B231-0050DACD394D}\setup.exe" Uninstall
Disney Pirates of the Caribbean Online --> C:\Program Files\Disney\Disney Online\PiratesOnline\uninst.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dream Chronicles 2 --> C:\PROGRA~1\PLAYFI~1\DREAMC~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\DREAMC~1\INSTALL.LOG
ebgcInfra --> MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes --> MsiExec.exe /X{C317FE54-A82F-475A-8B92-FDE3C6E14660}
ebgcSDK --> MsiExec.exe /X{13AD768A-9E04-499D-AE80-967A65DCCBA5}
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
ESPN Java Check --> C:\WINDOWS\system32\javaws.exe -uninstall "http://games.espn.go.com/s/ffllm/06/livedraft/jws-check.jar"
Finding Nemo --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1A5488D7-314D-4CBC-89BF-C5B59510BDBA} NemoADVUninstall
Finding Nemo: Nemo's Underwater World of Fun --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BCB8D603-985E-4765-B4AB-B4B991A535B7} NemoUWFUninstall
Fishing Craze --> C:\PROGRA~1\PLAYFI~1\FISHIN~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\FISHIN~1\INSTALL.LOG
FizzBall --> C:\PROGRA~1\PLAYFI~1\FizzBall\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\FizzBall\INSTALL.LOG
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
GameTap --> C:\Program Files\InstallShield Installation Information\{67E158AF-8856-4337-B483-EA21930786AF}\setup.exe -runfromtemp -l0x0009 -removeonly
GEICO Security Guard --> MsiExec.exe /X{334CEE9C-EEA5-4497-ABA6-E501C08F3BD8}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Harry Potter and the Goblet of Fire™ --> F:\Program Files\Electronic Arts\Harry Potter and the Goblet of Fire\EAUninstall.exe
Harry Potter II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7BF68B83-5057-4D4B-0093-28285EEB9EE3}\setup.exe" -l0x9 Uninstall
Heavy Weapon Deluxe --> C:\PROGRA~1\PLAYFI~1\HEAVYW~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\HEAVYW~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\78KXS78Y\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Insaniquarium Deluxe --> C:\PROGRA~1\PLAYFI~1\INSANI~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\INSANI~1\INSTALL.LOG
Intel Application Accelerator RAID Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -INTELUNINST
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
iWon Prize Machine --> RunDll32 advpack.dll,LaunchINFSection "C:\Program Files\iWon\iWonSlot\1.bin\uninstall.inf",Uninstall
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JumpStart 2nd Grade v1.2 --> C:\WINDOWS\IsUninst.exe -fC:\KA\2G\DeIsL1.isu
JumpStart 3rd Grade v1.2 --> C:\WINDOWS\IsUninst.exe -fC:\KA\3G\DeIsL1.isu
JumpStart 4th Grade 2001 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Knowledge Adventure\JS4G2001\DeIsL1.isu"
Jumpstart First Grade v1.4 --> C:\WINDOWS\IsUninst.exe -fC:\KA\FG\DeIsL1.isu
JumpStart Mail --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Knowledge Adventure\JSMAIL\DeIsL1.isu"
JumpStart Parent Resource Center v1.0 --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRC\DeIsL1.isu
LEGO Star Wars --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{E914A24F-2412-4374-B420-86D21D6D444A}
Memory Key Boot Utility --> MsiExec.exe /X{D3943D0B-C281-4BF7-9FFB-2A4497986BF9}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 6-9 Converter --> MsiExec.exe /X{172423F9-522A-483A-AD65-03600CE4CA4F}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nortel Networks Contivity Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\setup.exe" Uninstall
Nortel Networks TunnelGuard --> MsiExec.exe /X{5650A422-0789-473F-B2C7-6C3D10CC9FFB}
Over the Hedge(TM) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{47388B97-4DCF-406F-B863-DC498C0D5E42} /l1033
ParaWorld --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EAA01BA0-6991-4296-A404-4FFF2DAC2225}\setup.exe" -l0x9 -removeonly
PKR --> "F:\PKR.com\PKR\uninstall-pkr.exe"
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
QuickTime Alternative 1.47 --> "f:\Program Files\QuickTime Alternative\unins000.exe"
RCT3 Soaked --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\Setup.exe" -l0x9
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RelevantKnowledge --> c:\windows\system32\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
Roll --> C:\WINDOWS\UniFish3.exe f:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\RollerCoaster Tycoon.log
RollerCoaster Tycoon® 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\setup.exe" -l0x9
SafeCast Shared Components --> C:\Program Files\Common Files\Macrovision Shared\SafeCast\Install\CDAC13BA.EXE /uninstall
Scholastic's I SPY Fantasy --> F:\PROGRA~1\SCHOLA~1\ISPYFA~1\UNWISE.EXE F:\PROGRA~1\SCHOLA~1\ISPYFA~1\INSTALL.LOG
Scooby-Doo 2 - Monsters Unleashed --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9BD9BF5-F1D1-4904-B348-40D0E9FF0023}\setup.exe" -l0x9 -uninst
Shrek 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7774A6A9-CE0D-4544-9A29-84351BAE184A}
Sid Meier's Pirates! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\SETUP.EXE" -l0x9 -L0x9 /SMAINT
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpongeBob SquarePants - Nighty Nightmare --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECAAC00F-74C7-4F1C-A110-F526ED630044}\setup.exe" -l0x9 -uninst
SpongeBob SquarePants - The Movie --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B98D958E-9E59-43B7-B47F-043D45D73EE6}\setup.exe" -l0x9 -uninst
Star Defender 4 --> C:\PROGRA~1\PLAYFI~1\STARDE~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\STARDE~1\INSTALL.LOG
Star Wars Battlefront --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C79CB9C7-10A4-4814-8402-F574672C2192}\Setup.exe" -l0x9
Star Wars Battlefront II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D374523-CFDE-461A-827E-2A102E2AB365}\Setup.exe" -l0x9 -removeonly
Star Wars Empire at War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe" -l0x9 -removeonly
Star Wars Empire at War Forces of Corruption --> C:\Program Files\InstallShield Installation Information\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}\setup.exe -runfromtemp -l0x0009 -removeonly
Star Wars®: Knights of the Old Republic (TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}\setup.exe" -l0x9
Super Granny 4 --> C:\PROGRA~1\PLAYFI~1\SUPERG~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\SUPERG~1\INSTALL.LOG
Supercow --> C:\PROGRA~1\PLAYFI~1\Supercow\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\Supercow\INSTALL.LOG
The Chronicles of Narnia --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3389DC79-8D4C-4447-B1D3-3D8FE43D65C2}
The Incredibles - When Danger Calls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E602FA72-18BB-444F-8EAE-5E8146FFE31E}\SETUP.EXE" -l0x9
The Incredibles: Rise of The Underminer --> MsiExec.exe /X{D43C71BA-CE66-4596-9EF4-962C724CF3F3}
The Mystery of Veggie Island --> C:\WINDOWS\uninst.exe -f"C:\Program Files\BigIdea\The Mystery of Veggie Island\DeIsL1.isu"
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
Treasures of the Deep --> "C:\Program Files\Oberon Media\Treasures of the Deep\unins000.exe"
TurboTax Deluxe 2007 --> F:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "F:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> f:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "f:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
UltimateBet --> F:\PROGRA~1\ULTIMA~1\UNWISE.EXE F:\PROGRA~1\ULTIMA~1\INSTALL.LOG
Version 3.0 --> "C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Villagers The Lost Children --> C:\PROGRA~1\PLAYFI~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\PLAYFI~1\VIRTUA~1\INSTALL.LOG
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WinAVI Video Converter --> "f:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2332 / Error
Event Submitted/Written: 04/09/2008 08:31:37 PM
Event ID/Source: 5000 / .NET Runtime 2.0 Error Reporting
Event Description:
EventType clr20r3, P1 dsaserv.exe, P2 1.1.607.33, P3 46c5f4ff, P4 dsaserv, P5 1.1.607.33, P6 46c5f4ff, P7 2a, P8 25e, P9 clr20r30, P10 clr20r31.

Event Record #/Type2324 / Error
Event Submitted/Written: 04/09/2008 08:30:51 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type2320 / Error
Event Submitted/Written: 04/09/2008 08:27:32 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2319 / Error
Event Submitted/Written: 04/09/2008 08:24:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2308 / Warning
Event Submitted/Written: 04/09/2008 11:37:43 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25000 / Warning
Event Submitted/Written: 04/11/2008 08:43:14 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type24998 / Error
Event Submitted/Written: 04/10/2008 07:47:08 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type24997 / Warning
Event Submitted/Written: 04/10/2008 02:58:52 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type24996 / Warning
Event Submitted/Written: 04/10/2008 10:10:03 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type24995 / Warning
Event Submitted/Written: 04/10/2008 05:51:37 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-11 20:47:40 ------------
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 12th, 2008, 5:33 pm

Hi

I'm afraid I have unpleasant news for you. You have a Dangerous infection on this machine.
The infection is delivered by a Backdoor Trojan.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 12th, 2008, 7:28 pm

Would this only affect my internal c: drive or would it be on my external also? How difficult is the 'cleaning' process. I have run SDFix and I can see that i keep getting reinfected.
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 12th, 2008, 7:54 pm

Hi

I cant say for sure how difficult it would be. If you want to try cleaning, remember to keep your external drive connected throughout too.

Let me know how you wish to proceed.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 12th, 2008, 8:34 pm

cleaning first would be preferred. Can we set up a time to be able to both be online while doing the cleaning.
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 13th, 2008, 5:58 am

Im pretty much online most of the day (UK time). Before we proceed, you mentioned running SDFix. Could you post the log it would have made. It will be a text file called Report.txt and will be in the C:\SDFix folder.

Also,

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please refrain from using BitTorrent during the course of your fix, so you dont risk inviting more malware onto your computer.


If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
Report.txt
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 13th, 2008, 9:23 am

Thanks for your time....here are the reports. SDFix from yesterdays cleaning. ComboFix and then HijackThis from after the Combo clean.

Report.txt FROM YESTERDAY


SDFix: Version 1.168
Run by Danny on Sat 04/12/2008 at 05:58 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\univrs32.dat - Deleted
C:\WINDOWS\system32\winivstr.exe - Deleted





The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\NCLAUNCH.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\NCLAUNCH.exe
C:\Program Files\DAEMON Tools\daemon.exe


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 19:05:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:3f,6c,d6,c5,b2,07,bb,9f,99,28,0e,31,12,8d,47,31,c4,59,40,f1,34,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,52,12,c6,3e,6b,32,af,e1,e6,30,1b,6c,92,2b,7d,4c,e4,..
"khjeh"=hex:d0,d2,08,63,49,31,4c,bf,e3,5c,67,3a,5a,97,6e,60,3b,bd,73,ed,52,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ef,80,e6,93,7d,6a,df,d4,c5,1c,5c,97,c7,e5,59,1a,83,c9,2b,c9,82,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c9,0f,00,cb,5d,87,bd,be,86,b0,90,10,44,47,c9,d1,aa,77,f3,fd,5d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c9,0f,00,cb,5d,87,bd,be,86,b0,90,10,44,47,c9,d1,aa,77,f3,fd,5d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:92,43,2e,c6,59,e6,23,fd,b8,6f,8f,eb,61,e4,5c,65,66,df,63,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:3f,6c,d6,c5,b2,07,bb,9f,99,28,0e,31,12,8d,47,31,c4,59,40,f1,34,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,52,12,c6,3e,6b,32,af,e1,e6,30,1b,6c,92,2b,7d,4c,e4,..
"khjeh"=hex:d0,d2,08,63,49,31,4c,bf,e3,5c,67,3a,5a,97,6e,60,3b,bd,73,ed,52,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ef,80,e6,93,7d,6a,df,d4,c5,1c,5c,97,c7,e5,59,1a,83,c9,2b,c9,82,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c9,0f,00,cb,5d,87,bd,be,86,b0,90,10,44,47,c9,d1,aa,77,f3,fd,5d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c9,0f,00,cb,5d,87,bd,be,86,b0,90,10,44,47,c9,d1,aa,77,f3,fd,5d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:92,43,2e,c6,59,e6,23,fd,b8,6f,8f,eb,61,e4,5c,65,66,df,63,00,81,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"="C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe:*:Disabled:Insaniquarium"
"C:\\Program Files\\WildTangent\\Blasterball 2\\BB2.exe"="C:\\Program Files\\WildTangent\\Blasterball 2\\BB2.exe:*:Enabled:BB2"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe:*:Enabled:Battlefront"
"C:\\Program Files\\BoontyGames\\Red Ace Squadron\\acenet_client_release.exe"="C:\\Program Files\\BoontyGames\\Red Ace Squadron\\acenet_client_release.exe:*:Enabled:acenet_client_release"
"C:\\Program Files\\BoontyGames\\Necromania Traps of Darkness\\TOD_g.exe"="C:\\Program Files\\BoontyGames\\Necromania Traps of Darkness\\TOD_g.exe:*:Enabled:TOD_g"
"C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"="C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe:*:Enabled:Super Gem Drop"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe:*:Enabled:battlefrontII"
"C:\\Program Files\\ParaWorld\\bin\\PWServer.exe"="C:\\Program Files\\ParaWorld\\bin\\PWServer.exe:*:Enabled:ParaWorld Server"
"F:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="F:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"F:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="F:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Yahoo! Games\\Wik And The Fable Of Souls\\Wik.exe"="C:\\Program Files\\Yahoo! Games\\Wik And The Fable Of Souls\\Wik.exe:*:Enabled:Wik and the Fable of Souls"
"C:\\Program Files\\WildTangent\\Polar Bowler\\polar.exe"="C:\\Program Files\\WildTangent\\Polar Bowler\\polar.exe:*:Enabled:polar"
"C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~os292.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~os292.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~osB.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~osB.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"E:\\Setup.exe"="E:\\Setup.exe:*:Enabled:Dell TrueMobile 2300 Wireless Router Setup Wizard"
"C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe"="C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe:*:Enabled:ControlUtility"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~os64.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Danny\\Local Settings\\Temp\\~os64.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"c:\\windows\\system32\\rlvknlg.exe"="c:\\windows\\system32\\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe:*:Enabled:Star Wars(R): Empire at War(TM): Forces of Corruption(TM)"
"C:\\Program Files\\City Interactive\\WWII Pacific Heroes\\pacific.exe"="C:\\Program Files\\City Interactive\\WWII Pacific Heroes\\pacific.exe:*:Enabled:pacific"
"C:\\Program Files\\Yahoo! Games\\Phoenix Assault\\Phoenix.exe"="C:\\Program Files\\Yahoo! Games\\Phoenix Assault\\Phoenix.exe:*:Enabled:Phoenix Assault"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"F:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="F:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"F:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="F:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 9 Mar 2008 1,241,088 A..H. --- "C:\My Games\Alien Stars\AlienStars.exe"
Mon 19 Feb 2007 5,719,552 A..H. --- "C:\My Games\FizzBall\FizzBall.exe"
Mon 10 Mar 2008 4,104,779 A..H. --- "C:\My Games\Gutterball 2\Gutterball2.exe"
Sun 9 Dec 2007 1,658,880 A..H. --- "C:\My Games\Insaniquarium Deluxe\InsaniquariumDeluxe.exe"
Mon 10 Mar 2008 340,019 ...H. --- "C:\My Games\Pearl Harbor - Zero Hour\phz.exe"
Wed 9 Apr 2008 12,330 ..SHR --- "C:\WINDOWS\Resources\KbdRam.dll"
Wed 9 Apr 2008 12,330 ..SHR --- "C:\WINDOWS\Resources\SetupRam.dll"
Thu 11 Aug 2005 4,348 A..H. --- "C:\backup\My Music\License Backup\drmv1key.bak"
Tue 13 Dec 2005 20 A..H. --- "C:\backup\My Music\License Backup\drmv1lic.bak"
Thu 11 Aug 2005 400 A.SH. --- "C:\backup\My Music\License Backup\drmv2key.bak"
Thu 21 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!




COMBOFIX

ComboFix 08-04-12.7 - Danny 2008-04-13 8:56:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT -4:00]
Running from: C:\Documents and Settings\Danny\Desktop\REPAIR\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\winantispyware 2007\Data\ProductCode
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\resources\KbdRam.dll
C:\WINDOWS\resources\SetupRam.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Service_ApiMon


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 00:39 . 2008-04-13 06:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-11 20:45 . 2008-04-11 20:45 <DIR> d-------- C:\Deckard
2008-04-09 10:24 . 2008-04-09 10:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 10:19 . 2008-04-12 19:11 <DIR> d-------- C:\SDFix
2008-04-09 03:10 . 2008-04-09 03:10 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 02:11 . 2008-04-09 02:11 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\TmpRecentIcons
2008-04-09 00:39 . 2008-04-09 03:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mlknonat
2008-03-28 18:41 . 2008-03-28 18:41 <DIR> d-------- C:\Program Files\GameTap
2008-03-28 18:41 . 2008-03-28 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-03-28 08:35 . 2008-03-28 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-25 08:34 . 2008-03-25 08:34 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-03-23 09:15 . 2008-03-23 09:19 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\Super-Cow
2008-03-21 10:01 . 2008-03-21 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-21 10:00 . 2008-04-12 00:48 <DIR> d-------- C:\Program Files\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 18:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-13 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-13 10:43 --------- d-----w C:\Program Files\QuickTime
2008-04-13 10:43 --------- d-----w C:\Program Files\iTunes
2008-04-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-12 05:25 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-12 01:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-12 01:17 --------- d-----w C:\Documents and Settings\Danny\Application Data\uTorrent
2008-04-09 15:02 --------- d-----w C:\Documents and Settings\Danny\Application Data\AVG7
2008-04-09 12:06 --------- d-----w C:\Program Files\Java
2008-04-07 18:28 --------- d-----w C:\Program Files\PokerStars
2008-03-28 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 12:35 --------- d-----w C:\Documents and Settings\Danny\Application Data\PlayFirst
2008-03-27 20:43 0 ----a-w C:\Program Files\temp01
2008-03-27 20:43 --------- d-----w C:\Program Files\bfgclient
2008-03-27 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-03-21 14:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-19 22:55 --------- d-----w C:\Program Files\GameHouse
2008-03-19 22:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-10 16:23 --------- d-----w C:\Program Files\Air Battles
2008-03-09 17:17 --------- d-----w C:\Program Files\Microsoft Works
2008-03-08 17:46 --------- d-----w C:\Program Files\Google
2008-03-06 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\rionix
2008-03-04 22:43 --------- d-----w C:\Documents and Settings\Danny\Application Data\GameHouse
2008-03-04 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-03-03 15:07 --------- d-----w C:\Program Files\BigIdea
2008-03-03 14:48 --------- d-----w C:\Program Files\Winamp
2008-03-01 22:14 --------- d-----w C:\Program Files\Apple Software Update
2008-02-23 15:23 --------- d-----w C:\Documents and Settings\Danny\Application Data\SpinTop
2008-02-21 21:32 --------- d-----w C:\Program Files\Aircraft POWERPACK II
2008-02-21 21:25 219 ----a-w C:\Program Files\tempwp.log
2008-02-21 21:22 --------- d-----w C:\Program Files\Common Files\merlin
2008-02-16 03:33 --------- d-----w C:\Program Files\RedStarPoker
2008-02-16 01:12 --------- d-----w C:\Program Files\Intel
2008-02-13 20:14 --------- d-----w C:\Program Files\GEICO
2008-02-13 20:07 --------- d-----w C:\Program Files\Nortel Networks
2008-02-13 20:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 15:50 743,016 ----a-w C:\Documents and Settings\Danny\GDSSetup.exe
2007-11-22 15:50 558,248 ----a-w C:\Documents and Settings\Danny\GoogleToolbarInstaller.exe
2006-11-21 12:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2007-04-09 13:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"GEICOSecurityGuard"="C:\Program Files\GEICO\GSG\dsatray.exe" [2007-08-17 16:20 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 16:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-08-28 17:16:46 315392]
TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2008-02-13 16:07:41 8192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:torrent
"50:UDP"= 50:UDP:IPSEC Tunnel Encapsulation
"51:UDP"= 51:UDP:IPSEC Tunnel Encapsulation
"500:UDP"= 500:UDP:ISAKMP/IPsec Key Management
"8121:UDP"= 8121:UDP:TunnelGuard Connection
"8282:TCP"= 8282:TCP:TunnelGuard Communication
"10001:UDP"= 10001:UDP:NAT Traversal
"55370:TCP"= 55370:TCP:GSG Server Communication

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 09:34]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-03-18 06:10]
R3 DsaServ;GEICO Security Guard;"C:\Program Files\GEICO\GSG\DsaServ.exe" [2007-08-17 16:20]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-09-06 13:39]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 13:39]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-12-12 13:00]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\Danny\LOCALS~1\Temp\cusbohcn.sys []
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2005-09-06 13:32]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 13:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 13:03:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 09:03:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
.
**************************************************************************
.
Completion time: 2008-04-13 9:06:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 13:06:48
Pre-Run: 134,485,241,856 bytes free
Post-Run: 134,399,467,520 bytes free
.
2008-04-09 07:13:23 --- E O F ---



HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:06 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GEICO\GSG\dsatray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\GEICO\GSG\DsaServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Danny\Desktop\HJT\Danny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GEICOSecurityGuard] C:\Program Files\GEICO\GSG\dsatray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/sc ... ecubes.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Ice%20Cream%20Tycoon/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4883503592
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1040085203
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Magic%20Ball%203/Images/armhelper.ocx
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.com/c ... lashAX.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GEICO Security Guard (DsaServ) - GEICO - C:\Program Files\GEICO\GSG\DsaServ.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8985 bytes
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 13th, 2008, 12:15 pm

Hi

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 13th, 2008, 12:49 pm

Here is the text.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 13th, 2008, 3:41 pm

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::
 
Folder::
C:\SDFix

DirLook::
C:\Documents and Settings\All Users\Application Data\mlknonat

Driver::
cusbohcn
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.

In your next reply post:
ComboFix.txt
MBAM log
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 13th, 2008, 5:13 pm

Here are the 3 reports.

COMBOFIX.EXE

ComboFix 08-04-12.7 - Danny 2008-04-13 15:48:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1502 [GMT -4:00]
Running from: C:\Documents and Settings\Danny\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Danny\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\catchme.log
C:\SDFix\backups\HOSTS
C:\SDFix\backups_old1\backupreg.zip
C:\SDFix\backups_old1\backups.zip
C:\SDFix\backups_old1\catchme.log
C:\SDFix\backups_old1\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\Report_old_1.txt
C:\SDFix\Report_old_2.txt
C:\SDFix\report1.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CUSBOHCN
-------\Service_cusbohcn


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 00:39 . 2008-04-13 06:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-11 20:45 . 2008-04-11 20:45 <DIR> d-------- C:\Deckard
2008-04-09 10:24 . 2008-04-09 10:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 03:10 . 2008-04-09 03:10 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 02:11 . 2008-04-09 02:11 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\TmpRecentIcons
2008-04-09 00:39 . 2008-04-09 03:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mlknonat
2008-03-28 18:41 . 2008-03-28 18:41 <DIR> d-------- C:\Program Files\GameTap
2008-03-28 18:41 . 2008-03-28 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-03-28 08:35 . 2008-03-28 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-25 08:34 . 2008-03-25 08:34 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-03-23 09:15 . 2008-03-23 09:19 <DIR> d-------- C:\Documents and Settings\Danny\Application Data\Super-Cow
2008-03-21 10:01 . 2008-03-21 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-21 10:00 . 2008-04-12 00:48 <DIR> d-------- C:\Program Files\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 18:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-13 19:39 --------- d-----w C:\Program Files\Winamp
2008-04-13 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-13 10:43 --------- d-----w C:\Program Files\QuickTime
2008-04-13 10:43 --------- d-----w C:\Program Files\iTunes
2008-04-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools
2008-04-12 05:25 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-12 01:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-12 01:17 --------- d-----w C:\Documents and Settings\Danny\Application Data\uTorrent
2008-04-09 15:02 --------- d-----w C:\Documents and Settings\Danny\Application Data\AVG7
2008-04-09 12:06 --------- d-----w C:\Program Files\Java
2008-04-07 18:28 --------- d-----w C:\Program Files\PokerStars
2008-03-28 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-28 12:35 --------- d-----w C:\Documents and Settings\Danny\Application Data\PlayFirst
2008-03-27 20:43 0 ----a-w C:\Program Files\temp01
2008-03-27 20:43 --------- d-----w C:\Program Files\bfgclient
2008-03-27 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-03-21 14:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-19 22:55 --------- d-----w C:\Program Files\GameHouse
2008-03-19 22:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-10 16:23 --------- d-----w C:\Program Files\Air Battles
2008-03-09 17:17 --------- d-----w C:\Program Files\Microsoft Works
2008-03-08 17:46 --------- d-----w C:\Program Files\Google
2008-03-06 23:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\rionix
2008-03-04 22:43 --------- d-----w C:\Documents and Settings\Danny\Application Data\GameHouse
2008-03-04 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-03-03 15:07 --------- d-----w C:\Program Files\BigIdea
2008-03-01 22:14 --------- d-----w C:\Program Files\Apple Software Update
2008-02-23 15:23 --------- d-----w C:\Documents and Settings\Danny\Application Data\SpinTop
2008-02-21 21:32 --------- d-----w C:\Program Files\Aircraft POWERPACK II
2008-02-21 21:25 219 ----a-w C:\Program Files\tempwp.log
2008-02-21 21:22 --------- d-----w C:\Program Files\Common Files\merlin
2008-02-16 03:33 --------- d-----w C:\Program Files\RedStarPoker
2008-02-16 01:12 --------- d-----w C:\Program Files\Intel
2008-02-13 20:14 --------- d-----w C:\Program Files\GEICO
2008-02-13 20:07 --------- d-----w C:\Program Files\Nortel Networks
2008-02-13 20:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 15:50 743,016 ----a-w C:\Documents and Settings\Danny\GDSSetup.exe
2007-11-22 15:50 558,248 ----a-w C:\Documents and Settings\Danny\GoogleToolbarInstaller.exe
2006-11-21 12:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\mlknonat ----



((((((((((((((((((((((((((((( snapshot@2008-04-13_ 9.06.38.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 13:00:34 2,048 ----a-w C:\WINDOWS\bootstat.dat
+ 2008-04-13 19:52:00 2,048 ----a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2007-04-09 13:32 19456 C:\WINDOWS\system32\CtHelper.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"GEICOSecurityGuard"="C:\Program Files\GEICO\GSG\dsatray.exe" [2007-08-17 16:20 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 16:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-08-28 17:16:46 315392]
TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2008-02-13 16:07:41 8192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\Program Files\\Dell TrueMobile 2300\\ControlUtility.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:torrent
"50:UDP"= 50:UDP:IPSEC Tunnel Encapsulation
"51:UDP"= 51:UDP:IPSEC Tunnel Encapsulation
"500:UDP"= 500:UDP:ISAKMP/IPsec Key Management
"8121:UDP"= 8121:UDP:TunnelGuard Connection
"8282:TCP"= 8282:TCP:TunnelGuard Communication
"10001:UDP"= 10001:UDP:NAT Traversal
"55370:TCP"= 55370:TCP:GSG Server Communication

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-10-12 09:34]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-03-18 06:10]
R3 DsaServ;GEICO Security Guard;"C:\Program Files\GEICO\GSG\DsaServ.exe" [2007-08-17 16:20]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-09-06 13:39]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 13:39]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-12-12 13:00]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2005-09-06 13:32]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-09-06 13:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 19:55:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 15:52:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\iphlpapi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
.
**************************************************************************
.
Completion time: 2008-04-13 15:55:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 19:55:51
ComboFix2.txt 2008-04-13 13:06:55
Pre-Run: 135,550,771,200 bytes free
Post-Run: 135,534,788,608 bytes free
.
2008-04-09 07:13:23 --- E O F ---



MBAM.LOG

Malwarebytes' Anti-Malware 1.11
Database version: 622

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 212605
Time elapsed: 1 hour(s), 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa0-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa1-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70522fa2-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70522fa2-4656-11d5-b0e9-0050dac24e8f} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\iWon (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\Settings (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache (Adware.iWon) -> Quarantined and deleted successfully.
C:\Casino (Adware.Casino) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\rlxf.dll.vir (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\silc_dll.dll.vir (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\FOPN.sys.vir (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0A74774-7224-4B4D-BF5C-2F89813FBF96}\RP693\A0077594.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0A74774-7224-4B4D-BF5C-2F89813FBF96}\RP698\A0078982.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0A74774-7224-4B4D-BF5C-2F89813FBF96}\RP700\A0081167.sys (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0A74774-7224-4B4D-BF5C-2F89813FBF96}\RP700\A0081169.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F0A74774-7224-4B4D-BF5C-2F89813FBF96}\RP700\A0081170.dll (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History\search (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\PM3.ico (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\IWONSLOT.DLL (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\PM3.ICO (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\UNINSTALL.INF (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A395E91 (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A395F4D.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A395FBA.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A396066.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3960C4.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A396122.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A39617F.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3961ED.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A39624B.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3962A8.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A396306.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A396373.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3963D1.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A39644E.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3964AC.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A39650A.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A396596.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\0A3965D5.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\47D48A9D.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\47D48B29.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\47D48BB6.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\47D48C23.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\files.ini (Adware.iWon) -> Quarantined and deleted successfully.

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:39 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GEICO\GSG\dsatray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\GEICO\GSG\DsaServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GEICOSecurityGuard] C:\Program Files\GEICO\GSG\dsatray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - F:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/sc ... ecubes.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Ice%20Cream%20Tycoon/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4883503592
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1040085203
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Magic%20Ball%203/Images/armhelper.ocx
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassic.microgaming.com/c ... lashAX.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GEICO Security Guard (DsaServ) - GEICO - C:\Program Files\GEICO\GSG\DsaServ.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8867 bytes
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm

Re: computer plays 'tv show' in background

Unread postby Scotty » April 14th, 2008, 5:03 am

Hi

Congratulations, you appear to be malware free. :cheers:


I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Viewpoint Media Player, click Remove.


UltimateBet and the related sites are a risk and that's where most malware gets installed. Online Poker sites are well known for placing all manner of Internet parasites on their visitors' computers and continue to do so. They should be highly suspect for any Malware on your computer. In a lot of cases, these Poker plugins are also getting installed without your asking for it. You can read Poker gamers targeted by a rootkit backdoor regarding the risk involved with visiting the Poker games web sites. Two safe alternatives are PokerStars and Pogo.com.

I recommend that you remove Ultimate Bet.
To uninstall the Ultimate Bet.
  1. Click Start > Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Ultimate Bet, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.
  5. Using Windows Explorer (Windows key+e), search for the Ultimate Bet folder. If the program folder is still there, select/highlight the Ultimate Bet folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  6. Close Windows Explorer.
  7. Reboot.
Item(s) to fix in HijackThis:

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe


I advise also you go to Add/Remove Programs and uninstall these:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1


Do Not uninstall this one:
Java(TM) 6 Update 5


Time for some housekeeping

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Image



Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another free program I recommend.

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malwareremoval.com/viewtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: computer plays 'tv show' in background

Unread postby dporter64 » April 14th, 2008, 10:00 am

Thanks so much for your time and energy.....I hope you get some type of compensation for your efforts. This was much better than a rebuild. I may still have some programs just quitting and closing, but I will monitor that after I do a cleanup of my system.....

If I need more help, I know where to come.

Thanks again.
dporter64
Active Member
 
Posts: 8
Joined: April 9th, 2008, 1:01 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 376 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware