Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

[Resolved] Hijack this log


  • This topic is locked This topic is locked
16 replies to this topic

#1 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 20 April 2008 - 11:11 AM

Below is my hijack this log. Please take a look at it. Something has taken over my desktop image with what I assume is a fake "Click this to remove spyware from your PC" message. My PC is also very slow and I have run Adaware.

When I looked at the image name it was named "def".

Logfile of HijackThis v1.99.1
Scan saved at 1:02:21 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

Thanks for your help.

Edited by mpm32, 21 April 2008 - 10:16 AM.

Advertisement


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 25 April 2008 - 03:35 AM

Hi mpm32m,

Please download the latest version of HijackThis from here (right-click the link, select Save Target As..., select your Desktop and press Save):
http://downloads.mal.../HJTInstall.exe

Once you have downloaded the new version, remove the old version via Start->Control Panel->Add/Remove Programs and then delete the old program file from your Desktop.
Then run the new version's installer HJTInstall.exe and follow the prompts.
After installing, HijackThis will open automatically, but close the program for now.

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.

#3 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 25 April 2008 - 08:55 PM

Thanks for your help. Below are the two logfiles;

Deckard's System Scanner v20071014.68
Run by Mark on 2008-04-25 22:50:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2008-04-26 02:50:20 UTC - RP891 - Deckard's System Scanner Restore Point
89: 2008-04-25 06:34:46 UTC - RP890 - Windows Defender Checkpoint
88: 2008-04-25 06:24:57 UTC - RP889 - Software Distribution Service 3.0
87: 2008-04-24 06:51:16 UTC - RP888 - System Checkpoint
86: 2008-04-23 06:34:50 UTC - RP887 - Windows Defender Checkpoint


-- First Restore Point -- 
1: 2008-02-13 23:00:29 UTC - RP802 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mark.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:58 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Mark\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [cgICuivwwa] C:\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Amie')
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Amie')
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [Uaol] "C:\WINDOWS\system32\STEM32~1\dexplore.exe" -vt yazb (User 'Amie')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-3367265213-4223227456-216994003-1006 Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe (User 'Amie')
O4 - S-1-5-21-3367265213-4223227456-216994003-1006 User Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe (User 'Amie')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 11291 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 ATNT40K (ActiveTouch NT Appsharing Driver) - c:\windows\system32\drivers\atnt40k.sys
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

S3 catchme - c:\docume~1\mark\locals~1\temp\catchme.sys (file missing)
S3 Tablet2k (Serial Tablet Port Driver) - "c:\windows\system32\drivers\tablet2k.sys" (file missing)
S3 TClass2k (Tablet Class Driver) - c:\windows\system32\drivers\tclass2k.sys <Not Verified; Tablet Driver; Tablet Class Driver for Win2000/XP>
S3 UCTblHid (HID Tablet Port Driver) - c:\windows\system32\drivers\uctblhid.sys <Not Verified; Tablet Driver; HID Tablet Filter Driver For Win2000/XP>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 WinTabService (WinTab Service) - "c:\windows\system32\drivers\wtsrv.exe" <Not Verified; Tablet Driver; Tablet Driver for Win2000/XP>

S2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe (file missing)
S4 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service
S4 Switch Off - c:\program files\switch off\swoff.exe -service <Not Verified; YaSoft; Switch Off>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-25 02:25:07	   330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-25 and 2008-04-25 -----------------------------

2008-04-25 17:13:04		 0 d-------- C:\WINDOWS\??mantec
2008-04-24 17:53:12		 0 d-------- C:\WINDOWS\system32\?dobe
2008-04-23 17:14:26		 0 d-------- C:\Documents and Settings\Amie\Application Data\?racle
2008-04-22 19:25:40		 0 d-------- C:\Documents and Settings\All Users\Application Data\noptaizb
2008-04-22 16:54:33		 0 d-------- C:\Program Files\Common Files\??crosoft
2008-04-22 16:54:23	 60928 --a------ C:\WINDOWS\system32\lpayr.dll
2008-04-21 17:59:02		 0 d-------- C:\Documents and Settings\All Users\Application Data\pyubtxnw
2008-04-21 16:49:02		 0 d-------- C:\Program Files\Common Files\s?stem32
2008-04-20 11:29:57		 0 d-------- C:\Documents and Settings\Mark\Desktopvirii
2008-04-20 11:29:38	  4096 --a------ C:\Documents and Settings\Mark\Desktopfilemanagerclient.exe
2008-04-20 11:29:36	  4096 --a------ C:\Documents and Settings\Mark\DesktopFWebdEditor.exe
2008-04-20 11:29:36	  4096 --a------ C:\Documents and Settings\Mark\Desktopfwebd.exe
2008-04-20 11:29:05	 94208 --a------ C:\WINDOWS\system32\ulmdwpcz.exe
2008-04-19 16:50:12		 0 d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-19 08:58:36	 29952 --a------ C:\WINDOWS\stcloader.exe
2008-04-19 08:58:35	 12800 --a------ C:\WINDOWS\voiceip.dll
2008-04-19 08:58:35	 19968 --a------ C:\WINDOWS\swin32.dll
2008-04-19 08:58:35	 17408 --a------ C:\WINDOWS\mspphe.dll
2008-04-19 08:58:35	 13568 --a------ C:\WINDOWS\cdsm32.dll
2008-04-19 08:58:35	  8960 --a------ C:\WINDOWS\bokja.exe
2008-04-19 08:58:35	 28160 --a------ C:\WINDOWS\bjam.dll
2008-04-19 08:58:32	 15872 --a------ C:\WINDOWS\saiemod.dll
2008-04-19 08:58:31	 22016 --a------ C:\WINDOWS\msapasrc.dll
2008-04-19 08:58:31	 22016 --a------ C:\WINDOWS\msa64chk.dll
2008-04-19 08:58:30	 27392 --a------ C:\WINDOWS\winsb.dll
2008-04-19 08:58:30	 10496 --a------ C:\WINDOWS\shdocpl.dll
2008-04-19 08:58:30	 23040 --a------ C:\WINDOWS\shdocpe.dll
2008-04-19 08:58:30	 14592 --a------ C:\WINDOWS\ntnut.exe
2008-04-19 08:58:29	 14080 --a------ C:\WINDOWS\browserad.dll
2008-04-19 08:58:29	 32768 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-19 08:58:29	 16384 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-19 08:58:29	 26368 --a------ C:\WINDOWS\avifile32.dll
2008-04-19 08:58:29	 19456 --a------ C:\WINDOWS\autodisc32.dll
2008-04-19 08:58:29	  8448 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-19 08:58:29	 24832 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-19 08:58:28	 24320 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-19 08:58:28	 29184 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-19 08:58:28	 12800 --a------ C:\WINDOWS\athprxy32.dll
2008-04-19 08:58:28	 12288 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-19 08:58:28	  8192 --a------ C:\WINDOWS\asferror32.dll
2008-04-19 08:58:28	 16640 --a------ C:\WINDOWS\apphelp32.dll
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-19 08:44:39	  4096 --a------ C:\WINDOWS\a.bat
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-19 08:44:38		 0 d-------- C:\WINDOWS\system32smp
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-19 08:44:38	  4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-19 08:44:38		 0 d-------- C:\Documents and Settings\Amie\Desktopvirii
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-19 08:44:37	  4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-19 08:44:37	  4096 --a------ C:\Documents and Settings\Amie\DesktopFWebdEditor.exe
2008-04-19 08:44:37	  4096 --a------ C:\Documents and Settings\Amie\Desktopfilemanagerclient.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-19 08:44:36	  4096 --a------ C:\WINDOWS\bdn.com
2008-04-19 08:44:36	  4096 --a------ C:\Documents and Settings\Amie\Desktopfwebd.exe
2008-04-19 08:44:35	  4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-19 08:44:35		 0 d-------- C:\WINDOWS\mslagent
2008-04-19 08:44:35		 0 d-------- C:\Program Files\akl
2008-04-19 08:44:23		 0 d-------- C:\Documents and Settings\All Users\Application Data\clwrofyv
2008-04-19 08:44:22	 98304 --a------ C:\WINDOWS\system32\oxsvmhij.exe
2008-04-19 08:44:17		 0 d-------- C:\WINDOWS\PerfInfo
2008-04-19 08:44:17		 0 d-------- C:\WINDOWS\mgwwgmke
2008-04-19 08:44:16	 65024 --a------ C:\Documents and Settings\All Users\Application Data\fqfopazu.dll
2008-04-19 08:44:14	192512 --a------ C:\WINDOWS\tcjgzinw.dll
2008-04-19 08:44:11	 65024 --a------ C:\WINDOWS\ejafgror.dll
2008-04-19 08:43:55		 0 d-------- C:\Program Files\Outerinfo
2008-04-19 08:43:46		 0 d-------- C:\Program Files\Common Files\T?sks
2008-04-19 08:43:44		 0 d-------- C:\Program Files\QdrPack
2008-04-19 08:43:27		 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-19 08:43:09		 0 d-------- C:\Program Files\Bat
2008-04-19 08:43:05		 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-19 08:43:04		 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-19 08:43:03		 0 d-------- C:\Program Files\QdrModule
2008-04-19 08:43:01		 0 d-------- C:\Program Files\QdrDrive
2008-04-19 08:42:57		 0 d-------- C:\Program Files\ISM
2008-04-19 08:42:52	 89515 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-19 08:42:52	 89515 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-19 08:42:48	 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-04-19 08:42:47		 0 d-------- C:\WINDOWS\system32\??stem32
2008-04-19 08:42:44	 28672 --a------ C:\WINDOWS\winself.exe
2008-04-19 08:42:26	  6656 --a------ C:\WINDOWS\tions.dll
2008-04-18 19:58:40	  6656 --a------ C:\WINDOWS\system32\000060.exe
2008-04-11 15:44:48	187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-11 14:44:58	229526 --a------ C:\WINDOWS\system32\000080.exe
2008-04-05 01:29:14	270694 --a------ C:\WINDOWS\system32\000090.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-25 22:49:11		 0 d-------- C:\Program Files\Lx_cats
2008-04-25 22:47:13		 0 d-------- C:\Program Files\Trend Micro
2008-04-25 16:21:14		 0 d-------- C:\Program Files\Quicken
2008-04-23 17:14:26		 0 d-------- C:\Program Files\Common Files\??crosoft
2008-04-22 16:54:33		 0 d-------- C:\Program Files\Common Files
2008-04-22 16:54:33		 0 d-------- C:\Program Files\Common Files\s?stem32
2008-04-20 12:02:56		 0 d-------- C:\Program Files\SpywareBlaster
2008-04-20 09:05:47		 0 d-------- C:\Program Files\Common Files\T?sks
2008-03-21 20:36:43		 0 d-------- C:\Documents and Settings\Mark\Application Data\Canon
2008-03-10 19:15:11		 0 d-------- C:\Documents and Settings\Mark\Application Data\Intuit
2008-03-10 19:09:58		 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-10 19:09:56		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-10 19:07:24		 0 d-------- C:\Program Files\TurboTax
2008-03-02 15:02:20		 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 03:56 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/20/2005 01:06 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/20/2005 01:10 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/23/2005 02:20 AM C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [11/23/2005 03:52 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [10/01/2006 02:03 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 02:12 AM]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [04/30/2007 04:19 AM]
"PhotoExplosionCalCheck"="C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [09/20/2006 12:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 07:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [1/7/2007 8:36:46 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"cgICuivwwa"=C:\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-25 22:52:29 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1014.07 MiB / 483.66 MiB
Pagefile Memory (total/avail): 2441.16 MiB / 1998.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.51 MiB

C: is Fixed (NTFS) - 69.82 GiB total, 25.43 GiB free. 
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JD-75MSA1 - 74.5 GiB - 3 partitions
  \PARTITION0 - Unknown - 39.19 MiB
  \PARTITION1 (bootable) - Installable File System - 69.82 GiB - C:
  \PARTITION2 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE1 - TEAC USB   HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB   HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB   HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB   HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.) [COLOR=RED]Outdated[/COLOR]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"="C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe:*:Disabled:Device Monitor Application"
"C:\\Documents and Settings\\Amie\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"="C:\\Documents and Settings\\Amie\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe:*:Enabled:dsTermServ Module"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe:*:Enabled: "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mark\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D1FWGW81
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mark
LOGONSERVER=\\D1FWGW81
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Nova Development\Photo Explosion 3.0 SE\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mark\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mark\LOCALS~1\Temp
USERDOMAIN=D1FWGW81
USERNAME=Mark
USERPROFILE=C:\Documents and Settings\Mark
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI 


-- User Profiles ---------------------------------------------------------------

Mark [I](admin)[/I]
Amie [I](admin)[/I]
Lili
Nate
Administrator [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program Files\Common Files\Intel Shared\IP Video Telephony\Setup.exe" uninstall webclient clientid="CS5" clientpath="C:\Program Files\Intel\Createshare\VideoPhone\" inf="VSDKWSetup.inf"
 --> "C:\Program Files\Intel\Createshare\Inetcam\uninstall.exe" /s 
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
 --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
 --> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
 --> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
 --> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25B20E43-4CE3-11D4-AF89-00A0C9E05BC5}\Setup.exe" 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EDA9289-CCA7-11D7-8466-00D0B726B56E}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C9DDCE0-66CF-11D4-9100-0090274FBE9A}\setup.exe" 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68DC5968-0278-11D5-8EAA-00062973342B}\setup.exe"  maintflag
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll<UNINSTALL_CMD> 
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Illustrator 9.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Illustrator 9.0\Uninst.isu" -c"C:\Program Files\Adobe\Illustrator 9.0\Uninst.dll"
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9  -removeonly
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
ArcSoft PhotoBase --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoBase\Uninst.isu"
ArcSoft PhotoStudio 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoStudio 2000\Uninst.isu"
AT&T WorldNet Setup --> C:\WINDOWS\WNBackup\WNS50\wnun50.exe C:\PROGRA~1\AT&T
Avatar - The Last Airbender --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E67EDCA1-18E1-4136-ABF6-D21F2A129A46}\setup.exe" -l0x9  -uninst 
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Backup To DVD/CD version 5.1 --> "C:\Program Files\Willow Creek Software\unins000.exe"
Barbie(TM) as Rapunzel --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\RapunzelUn.exe
Barbie(TM) as The Princess and the Pauper --> C:\Program Files\Common Files\Vivendi Universal Games\Uninstall\PPauperUn.exe
Barbie(TM) Explorer(TM) --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\BrbExpPCUn.exe
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
Bejeweled 2 Deluxe --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\989E4C3B-B2C9-4486-9A09-D5A8F953837C\Uninstall.exe"
Blue's Art Time Activities --> C:\WINDOWS\IsUninst.exe -fC:\HEGames\ArtTime\Uninst.isu -c"C:\HEGames\ArtTime\Uninst.dll
Blue's Treasure Hunt --> C:\WINDOWS\IsUninst.exe -f"c:\hegames\Blues Treasure Hunt\Uninst.isu" -c"c:\hegames\Blues Treasure Hunt\Uninst.dll
Caere Scan Manager 5.1 --> MsiExec.exe /I{81D62C32-0984-11D3-86CD-00105AD33021}
Caillou(R) Magic Playhouse(TM) --> C:\Program Files\The Learning Company\Caillou(R) Magic Playhouse(TM)\uninstall.exe
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon iP6600D --> C:\WINDOWS\system32\CNMCP7D.exe "-PRINTERNAMECanon iP6600D" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP6600D Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon iP6600D Memory Card Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{86D28491-78AB-445C-A507-6F3FA81D7611}\setup.exe"  /PDUUninstall
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon ScanGear Toolbox CS 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ScanGear Toolbox CS\Uninst.isu" -c"C:\Program Files\Canon\ScanGear Toolbox CS\uninst.dll"
Canon Utilities Digital Photo Professional 2.2 --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities File Viewer Utility 1.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EF0DD8B7-471C-463B-A298-6066C2FABAF5} 
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0} 
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Charter Pipeline Professor --> "C:\Program Files\Support.com\bin\tgfix.exe" /rm /nq /provider Charter
Charter Solution Controls Installation --> "C:\Program Files\Support.com\unins001.exe"
Corel Painter IX --> MsiExec.exe /I{A0383B7D-81A2-49D3-BE06-C0FD9EFB9DFC}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell DJ Explorer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EDA9289-CCA7-11D7-8466-00D0B726B56E}\setup.exe" -l0x9  /remove
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Diego's Dinosaur Adventure --> C:\PROGRA~1\NICKJR~1.ARC\DIEGO'~1\UNWISE.EXE C:\PROGRA~1\NICKJR~1.ARC\DIEGO'~1\INSTALL.LOG
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Disney's Lilo & Stitch Trouble in Paradise --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAD91AB4-1704-4037-8F66-462B46ACF6A1}\setup.exe" -l0x9 Disney's Lilo & Stitch Trouble in Paradise
Disney's Mahjongg --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D30CB638-BE3C-4EEA-80C9-C60EE73D8BB5}\setup.exe" -l0x9 Disney's Mahjongg
Disney's Princess Fashion Boutique --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92B71406-5264-4020-8A9E-5F3502FC2AF3}\setup.exe" -l0x9 Disney's Princess Fashion Boutique
Disney's Winnie the Pooh Toddler --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98E7E8A0-F859-11D4-B231-0050DACD394D}\setup.exe" Uninstall
Disney Princess Royal Horse Show --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2387D970-F42D-4278-AA40-7B727F9721FC}\setup.exe" -l0x9 Disney Princess Royal Horse Show
Dragon Frog Jamboree --> "C:\Program Files\Sesame Workshop\Dragon Frog Jamboree\Uninstall.exe" "C:\Program Files\Sesame Workshop\Dragon Frog Jamboree\install.log"
DV Studio3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DF68560-292A-11D5-99D1-00010256D40E}\setup.exe" 
DVD Identifier --> "C:\Program Files\DVD Identifier\Uninst\unins000.exe"
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EASEUS Data Recovery Wizard 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC762EAA-069E-47F4-87C3-8C944A4E7B49}\setup.exe" -l0x9  -removeonly
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
FA Addition Subtraction --> C:\WINDOWS\unvise32.exe C:\Program Files\sz8022\uninstal.log
First Steps --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E05C1807-0FAA-4C17-81DF-C8C96489D363}\setup.exe" -l0x9 
FREE Hi-Q Recorder 1.9 --> "C:\Program Files\FREE Hi-Q Recorder\unins000.exe"
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Hauppauge English Help Files and Resources --> C:\PROGRA~1\WinTV\UNHLPeng.EXE C:\PROGRA~1\WinTV\WTV2Keng.LOG
Hauppauge WinTV Infrared Remote --> C:\PROGRA~1\WinTV\UNir32.EXE C:\PROGRA~1\WinTV\ir32.LOG
Hauppauge WinTV IR Blaster --> C:\PROGRA~1\WinTV\UNirblst.EXE C:\PROGRA~1\WinTV\IRblast.LOG
Hauppauge WinTV Scheduler --> C:\PROGRA~1\WinTV\SCHEDU~1\UniSched.EXE C:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV Soft PVR --> C:\PROGRA~1\WinTV\UNSftPVR.EXE C:\PROGRA~1\WinTV\softpvr.LOG
Hauppauge WinTV Source Selector --> C:\PROGRA~1\WinTV\UNtvsel.EXE C:\PROGRA~1\WinTV\WINTVsel.LOG
Hauppauge WinTV2000 --> C:\PROGRA~1\WinTV\UNTV32.EXE C:\PROGRA~1\WinTV\WINTV2K.LOG
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Intel® Create & Share® Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9496E9E4-F20A-11D4-8EAA-00062973342B}\setup.exe"  -l0009 maintflag
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
JumpStart Toddlers 2001 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Knowledge Adventure\JSTD2001\DeIsL2.isu"
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Kitty Luv --> C:\PROGRA~1\Disney\DISNEY~1\KITTYL~1\UNWISE.EXE C:\PROGRA~1\Disney\DISNEY~1\KITTYL~1\INSTALL.LOG
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 1300 Series --> C:\Program Files\Lexmark 1300 Series\Install\x86\Uninst.exe
LimeWire 4.9.37 --> "C:\Program Files\LimeWire\uninstall.exe"
Little Mermaid II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE90BF5F-501C-4893-A7D7-44C64FC2308C}\setup.exe" -l0x9 Little Mermaid II
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Meeting Manager for Internet Explorer --> MsiExec.exe /I{F2AB2488-A0BF-4A9B-98A9-A88CF20FD2FF}
Meeting Service Player --> C:\PROGRA~1\WebEx\atcliun.exe
Memorex exPressit Label Design Studio --> C:\WINDOWS\mvuninst\App1\mvuninst.exe "Memorex exPressit Label Design Studio"
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft MapPoint North America 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790230}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{5E8858EC-6B09-4939-99F2-5678073A0327}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9 
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9  -uninst 
Online Manuals for WinTV (English) --> C:\PROGRA~1\WinTV\UNTVmans.exe C:\PROGRA~1\WinTV\WinTVMan.LOG
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PartyPokerNet --> "C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log"
PC Pitstop Exterminate 1.0 --> "C:\Program Files\PCPitstop\Exterminate\unins000.exe"
Photo Explosion 3.0 Special Edition --> MsiExec.exe /X{C778BD4F-0DEA-4D39-B7C1-992E1BFFD351}
Polar Bowler --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3\Uninstall.exe"
Polar UpLink Tool --> MsiExec.exe /X{F996DEB7-4AD7-4F15-84AA-114B8BE45911}
Polar WebLink 2.0 --> MsiExec.exe /X{87B69E57-CC3A-43D8-87F2-5DBB19AD6280}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe"  -uninstall
Princess Fashion Boutique --> C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{c0656c2e-302d-4900-a962-a80baa1125e1}.sdb"
Puppy Luv: A New Breed --> C:\PROGRA~1\Disney\DISNEY~1\PUPPYL~1\UNWISE.EXE C:\PROGRA~1\Disney\DISNEY~1\PUPPYL~1\INSTALL.LOG
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1 
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033 
Reader Rabbit's Toddler --> C:\WINDOWS\uninst.exe -fC:\Tlcwin\Rrt\uninstal\DeIsL1.isu
Reader Rabbit Kindergarten --> C:\Program Files\The Learning Company\Reader Rabbit Kindergarten\uninstal.exe
Reader Rabbit Preschool --> C:\Program Files\The Learning Company\Reader Rabbit Preschool\uninstal.exe
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SpiralFrog Download Manager 0.8.24 --> MsiExec.exe /X{95738B44-49CF-4C62-A620-320F1007B14A}
SpongeBob SquarePants Diner Dash 2 --> C:\PROGRA~1\NICKAR~1\SPONGE~1\UNWISE.EXE C:\PROGRA~1\NICKAR~1\SPONGE~1\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Switch Off --> "C:\Program Files\Switch Off\uninstall.exe"
Trend Micro PC-cillin Internet Security 12 --> MsiExec.exe /X{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}
TurboTax 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
U.B. Funkeys --> C:\Program Files\U.B. Funkeys\uninstall.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
USB Driver for Panasonic DVC --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6304CCF6-3343-4DA5-96B6-84B3A644B93B} /l1033 
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg  "enginecf.inf,RealUninstallSection,,4"
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9  -eliminate
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
WinPatrol --> MsiExec.exe /I{3205A978-4A7A-403B-A4B9-D48E6BAFB73B}


-- Application Event Log -------------------------------------------------------

Event Record #/Type6590 / Warning
Event Submitted/Written: 04/25/2008 10:46:33 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6585 / Error
Event Submitted/Written: 04/25/2008 09:04:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application outlook.exe, version 9.0.0.2416, faulting module unknown, version 0.0.0.0, fault address 0x013dc8fe.
Processing media-specific event for [outlook.exe!ws!]

Event Record #/Type6583 / Warning
Event Submitted/Written: 04/25/2008 08:59:38 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6581 / Warning
Event Submitted/Written: 04/25/2008 08:59:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6580 / Error
Event Submitted/Written: 04/25/2008 04:21:33 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application outlook.exe, version 9.0.0.2416, faulting module unknown, version 0.0.0.0, fault address 0x013de452.
Processing media-specific event for [outlook.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type35921 / Warning
Event Submitted/Written: 04/25/2008 10:52:07 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%D1FWGW8127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %D1FWGW8127 can't undo changes that you allow.

For more information please see the following:
%D1FWGW81275

	Scan ID: {FD5953DE-3596-41D0-9648-EB4DDF2D7ABA}

	User: D1FWGW81\Mark

	Name: %D1FWGW81271

	ID: %D1FWGW81272

	Severity: 1.1.1593.05

	Category: 1.1.1593.06

	Path Found: %D1FWGW81276

	Alert Type: %D1FWGW81278

	Detection Type: 1.1.1593.02

Event Record #/Type35920 / Warning
Event Submitted/Written: 04/25/2008 10:52:07 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%D1FWGW8127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %D1FWGW8127 can't undo changes that you allow.

For more information please see the following:
%D1FWGW81275

	Scan ID: {06E296C4-9BF1-4B7F-B8BE-292256582D3A}

	User: D1FWGW81\Mark

	Name: %D1FWGW81271

	ID: %D1FWGW81272

	Severity: 1.1.1593.05

	Category: 1.1.1593.06

	Path Found: %D1FWGW81276

	Alert Type: %D1FWGW81278

	Detection Type: 1.1.1593.02

Event Record #/Type35919 / Warning
Event Submitted/Written: 04/25/2008 10:52:07 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%D1FWGW8127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %D1FWGW8127 can't undo changes that you allow.

For more information please see the following:
%D1FWGW81275

	Scan ID: {05166CEC-E63F-4CBB-A94C-AEFE91AEC8B1}

	User: D1FWGW81\Mark

	Name: %D1FWGW81271

	ID: %D1FWGW81272

	Severity: 1.1.1593.05

	Category: 1.1.1593.06

	Path Found: %D1FWGW81276

	Alert Type: %D1FWGW81278

	Detection Type: 1.1.1593.02

Event Record #/Type35918 / Warning
Event Submitted/Written: 04/25/2008 10:52:05 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%D1FWGW8127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %D1FWGW8127 can't undo changes that you allow.

For more information please see the following:
%D1FWGW81275

	Scan ID: {4F4A7D24-8F09-4EF0-A08F-AFCEC593010D}

	User: D1FWGW81\Mark

	Name: %D1FWGW81271

	ID: %D1FWGW81272

	Severity: 1.1.1593.05

	Category: 1.1.1593.06

	Path Found: %D1FWGW81276

	Alert Type: %D1FWGW81278

	Detection Type: 1.1.1593.02

Event Record #/Type35917 / Warning
Event Submitted/Written: 04/25/2008 10:52:05 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%D1FWGW8127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %D1FWGW8127 can't undo changes that you allow.

For more information please see the following:
%D1FWGW81275

	Scan ID: {0F00E2D6-620C-4709-9009-A8D269087E8B}

	User: D1FWGW81\Mark

	Name: %D1FWGW81271

	ID: %D1FWGW81272

	Severity: 1.1.1593.05

	Category: 1.1.1593.06

	Path Found: %D1FWGW81276

	Alert Type: %D1FWGW81278

	Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-04-25 22:52:29 ------------


#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 25 April 2008 - 10:06 PM

Hi mpm32,

The DSS report shows your Trend Micro antivirus program has having outdated definitions. Without updates this program cannot protect you effectively, so you must update it immediately. If your subscription has expired then either renew it, or remove the program and install another antivirus program. There are several free packages available, two of the most popular are here:
Antivir: http://www.free-av.com/
Avast!: http://www.avast.com...avast-home.html

Please ensure you have one antivirus program active and up-to-date before continuing

------------------------------------------------------------------------

Temporarily disable Windows Defender:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, uncheck Use real-time protection and press Save
  • Close Windows Defender

Temporarily disable WinPatrol:
  • Open WinPatrol via the Start Menu or by double-clicking the taskbar icon
  • Select the Options tab and un-check the box marked Automatically run WinPatrol when computer starts
  • Close WinPatrol


------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Bat
Internet Speed Monitor
Java 2 Runtime Environment, SE v1.4.2_03
Outerinfo

The Java installation is out of date and now a security risk, you can get the latest update (version 6 update 6) from here. The other entries are malware-related.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, uninstall these entries via Add/Remove Programs:

Viewpoint Manager (Remove Only)
Viewpoint Media Player


You have LimeWire, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.
You can remove Limewire via Add/Remove Programs.

Party Poker has been reported as being malware-related so I strongly recommend you remove it.
To do so, uninstall PartyPoker and PartyPokerNet via Add/Remove Programs

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [cgICuivwwa] C:\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [Uaol] "C:\WINDOWS\system32\STEM32~1\dexplore.exe" -vt yazb (User 'Amie')
O4 - S-1-5-21-3367265213-4223227456-216994003-1006 Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe (User 'Amie')
O4 - S-1-5-21-3367265213-4223227456-216994003-1006 User Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe (User 'Amie')

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    NOTE: I have attached the file list as OTMoveIt.txt so you can download it and copy/paste it from Notepad if you prefer.
    OTMoveIt File List:
    C:\Documents and Settings\All Users\Application Data\clwrofyv
    C:\Program Files\Bat
    C:\Program Files\ISM
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4
    C:\WINDOWS\??mantec /u
    C:\WINDOWS\system32\?dobe /u
    C:\Documents and Settings\Amie\Application Data\?racle /u
    C:\Documents and Settings\All Users\Application Data\noptaizb
    C:\Program Files\Common Files\??crosoft /u
    C:\WINDOWS\system32\lpayr.dll
    C:\Documents and Settings\All Users\Application Data\pyubtxnw
    C:\Program Files\Common Files\s?stem32 /u
    C:\Documents and Settings\Mark\Desktopvirii
    C:\Documents and Settings\Mark\Desktopfilemanagerclient.exe
    C:\Documents and Settings\Mark\DesktopFWebdEditor.exe
    C:\Documents and Settings\Mark\Desktopfwebd.exe
    C:\WINDOWS\system32\ulmdwpcz.exe
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\voiceip.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\winsb.dll
    C:\WINDOWS\shdocpl.dll
    C:\WINDOWS\shdocpe.dll
    C:\WINDOWS\ntnut.exe
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\aviwrap32.dll
    C:\WINDOWS\avisynthex32.dll
    C:\WINDOWS\avifile32.dll
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\audiosrv32.dll
    C:\WINDOWS\ati2dvag32.dll
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\ati2dvaa32.dll
    C:\WINDOWS\athprxy32.dll
    C:\WINDOWS\asycfilt32.dll
    C:\WINDOWS\asferror32.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\a.bat
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32smp
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\iTunesMusic.exe
    C:\Documents and Settings\Amie\Desktopvirii
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32Rundl1.exe
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32msvchost.exe
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\system32h@tkeysh@@k.dll
    C:\WINDOWS\system32dpcproxy.exe
    C:\Documents and Settings\Amie\DesktopFWebdEditor.exe
    C:\Documents and Settings\Amie\Desktopfilemanagerclient.exe
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\mssecu.exe
    C:\WINDOWS\bdn.com
    C:\Documents and Settings\Amie\Desktopfwebd.exe
    C:\WINDOWS\system32vbsys2.dll
    C:\WINDOWS\mslagent
    C:\Program Files\akl
    C:\Documents and Settings\All Users\Application Data\clwrofyv
    C:\WINDOWS\system32\oxsvmhij.exe
    C:\WINDOWS\mgwwgmke
    C:\Documents and Settings\All Users\Application Data\fqfopazu.dll
    C:\WINDOWS\tcjgzinw.dll
    C:\WINDOWS\ejafgror.dll
    C:\Program Files\Outerinfo
    C:\Program Files\Common Files\T?sks /u
    C:\Program Files\QdrPack
    C:\WINDOWS\system32\winfrun32.bin
    C:\Program Files\QdrModule
    C:\Program Files\QdrDrive
    C:\WINDOWS\system32\wmsdkns.exe
    C:\WINDOWS\lfn.exe
    C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
    C:\WINDOWS\system32\??stem32 /u
    C:\WINDOWS\winself.exe
    C:\WINDOWS\tions.dll
    C:\WINDOWS\system32\000060.exe
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
    C:\WINDOWS\system32\000080.exe
    C:\WINDOWS\system32\000090.exe
    C:\Program Files\Common Files\??crosoft /u
    C:\Program Files\Common Files\s?stem32 /u
    C:\Program Files\Common Files\T?sks /u
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\system32\STEM32~1
    purity
    emptytemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2

------------------------------------------------------------------------

Clean with MalwareBytes' Anti-Malware
  • Please download the Installer to your Desktop from here:
    http://www.besttechi.../mbam-setup.exe
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to both of these options:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure everything is checked, and click Remove Selected.
  • When finished, a log will open in Notepad. Please save it to your Desktop, and post the contents in your reply.
  • The log can also be found here if you need it:
    • Start->All Programs->Malwarebytes' Anti-Malware->Logs

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the OTMoveIt report, the MalwareBytes Antimalware report and the new DSS main.txt

Attached Files



#5 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 26 April 2008 - 07:29 AM

I've completed all steps up to the OTmoveit2. When I copy and paste the list you provided, it hangs up and at the bottom status bar states; Moving file C:\Documents and Settings\All Users\Application Data\fqfopazu.dll I've let it run for a long time and it always hangs up here. I get program not responding when I try to click anything. Should I remove C:\Documents and Settings\All Users\Application Data\fqfopazu.dll from the list and try again? Thanks.

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 26 April 2008 - 07:55 AM

Should I remove C:\Documents and Settings\All Users\Application Data\fqfopazu.dll from the list and try again?

Yes, give that a try and see if it works.

#7 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 26 April 2008 - 08:22 PM

MoveIt log;

File/Folder C:\Documents and Settings\All Users\Application Data\clwrofyv not found.
File/Folder C:\Program Files\Bat not found.
File/Folder C:\Program Files\ISM not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr not found.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4\\ not found.
< C:\WINDOWS\??mantec /u >
File/Folder C:\WINDOWS\??mantec not found.
< C:\WINDOWS\system32\?dobe /u >
File/Folder C:\WINDOWS\system32\?dobe not found.
< C:\Documents and Settings\Amie\Application Data\?racle /u >
File/Folder C:\Documents and Settings\Amie\Application Data\?racle not found.
File/Folder C:\Documents and Settings\All Users\Application Data\noptaizb not found.
< C:\Program Files\Common Files\??crosoft /u >
File/Folder C:\Program Files\Common Files\??crosoft not found.
File/Folder C:\WINDOWS\system32\lpayr.dll not found.
File/Folder C:\Documents and Settings\All Users\Application Data\pyubtxnw not found.
< C:\Program Files\Common Files\s?stem32 /u >
File/Folder C:\Program Files\Common Files\s?stem32 not found.
File/Folder C:\Documents and Settings\Mark\Desktopvirii not found.
File/Folder C:\Documents and Settings\Mark\Desktopfilemanagerclient.exe not found.
File/Folder C:\Documents and Settings\Mark\DesktopFWebdEditor.exe not found.
File/Folder C:\Documents and Settings\Mark\Desktopfwebd.exe not found.
File/Folder C:\WINDOWS\system32\ulmdwpcz.exe not found.
File/Folder C:\WINDOWS\stcloader.exe not found.
File/Folder C:\WINDOWS\voiceip.dll not found.
File/Folder C:\WINDOWS\swin32.dll not found.
File/Folder C:\WINDOWS\mspphe.dll not found.
File/Folder C:\WINDOWS\cdsm32.dll not found.
File/Folder C:\WINDOWS\bokja.exe not found.
File/Folder C:\WINDOWS\bjam.dll not found.
File/Folder C:\WINDOWS\saiemod.dll not found.
File/Folder C:\WINDOWS\msapasrc.dll not found.
File/Folder C:\WINDOWS\msa64chk.dll not found.
File/Folder C:\WINDOWS\winsb.dll not found.
File/Folder C:\WINDOWS\shdocpl.dll not found.
File/Folder C:\WINDOWS\shdocpe.dll not found.
File/Folder C:\WINDOWS\ntnut.exe not found.
File/Folder C:\WINDOWS\browserad.dll not found.
File/Folder C:\WINDOWS\aviwrap32.dll not found.
File/Folder C:\WINDOWS\avisynthex32.dll not found.
File/Folder C:\WINDOWS\avifile32.dll not found.
File/Folder C:\WINDOWS\autodisc32.dll not found.
File/Folder C:\WINDOWS\audiosrv32.dll not found.
File/Folder C:\WINDOWS\ati2dvag32.dll not found.
File/Folder C:\WINDOWS\changeurl_30.dll not found.
File/Folder C:\WINDOWS\ati2dvaa32.dll not found.
File/Folder C:\WINDOWS\athprxy32.dll not found.
File/Folder C:\WINDOWS\asycfilt32.dll not found.
File/Folder C:\WINDOWS\asferror32.dll not found.
File/Folder C:\WINDOWS\apphelp32.dll not found.
File/Folder C:\WINDOWS\userconfig9x.dll not found.
File/Folder C:\WINDOWS\system32winlogonpc.exe not found.
File/Folder C:\WINDOWS\system32taack.exe not found.
File/Folder C:\WINDOWS\system32taack.dat not found.
File/Folder C:\WINDOWS\system32sncntr.exe not found.
File/Folder C:\WINDOWS\system32mwin32.exe not found.
File/Folder C:\WINDOWS\system32hxiwlgpm.exe not found.
File/Folder C:\WINDOWS\system32hxiwlgpm.dat not found.
File/Folder C:\WINDOWS\system32hoproxy.dll not found.
File/Folder C:\WINDOWS\FVProtect.exe not found.
File/Folder C:\WINDOWS\a.bat not found.
File/Folder C:\WINDOWS\system32ssurf022.dll not found.
File/Folder C:\WINDOWS\system32smp not found.
File/Folder C:\WINDOWS\system32psoft1.exe not found.
File/Folder C:\WINDOWS\system32psof1.exe not found.
File/Folder C:\WINDOWS\system32ps1.exe not found.
File/Folder C:\WINDOWS\system32msnbho.dll not found.
File/Folder C:\WINDOWS\system32medup020.dll not found.
File/Folder C:\WINDOWS\system32medup012.dll not found.
File/Folder C:\WINDOWS\system32bsva-egihsg52.exe not found.
File/Folder C:\WINDOWS\iTunesMusic.exe not found.
File/Folder C:\Documents and Settings\Amie\Desktopvirii not found.
File/Folder C:\WINDOWS\system32thun32.dll not found.
File/Folder C:\WINDOWS\system32thun.dll not found.
File/Folder C:\WINDOWS\system32temp#01.exe not found.
File/Folder C:\WINDOWS\system32ssvchost.exe not found.
File/Folder C:\WINDOWS\system32ssvchost.com not found.
File/Folder C:\WINDOWS\system32Rundl1.exe not found.
File/Folder C:\WINDOWS\system32regm64.dll not found.
File/Folder C:\WINDOWS\system32regc64.dll not found.
File/Folder C:\WINDOWS\system32netode.exe not found.
File/Folder C:\WINDOWS\system32mtr2.exe not found.
File/Folder C:\WINDOWS\system32msvchost.exe not found.
File/Folder C:\WINDOWS\system32msgp.exe not found.
< C:\WINDOWS\system32h@tkeysh@@k.dll >
File/Folder C:\WINDOWS\system32h@tkeysh@@k.dll not found.
File/Folder C:\WINDOWS\system32dpcproxy.exe not found.
File/Folder C:\Documents and Settings\Amie\DesktopFWebdEditor.exe not found.
File/Folder C:\Documents and Settings\Amie\Desktopfilemanagerclient.exe not found.
File/Folder C:\WINDOWS\winsystem.exe not found.
File/Folder C:\WINDOWS\system32WINWGPX.EXE not found.
File/Folder C:\WINDOWS\system32winsystem.exe not found.
File/Folder C:\WINDOWS\system32vcatchpi.dll not found.
File/Folder C:\WINDOWS\system32sysreq.exe not found.
File/Folder C:\WINDOWS\system32newsd32.exe not found.
File/Folder C:\WINDOWS\system32mssecu.exe not found.
File/Folder C:\WINDOWS\system32emesx.dll not found.
File/Folder C:\WINDOWS\system32bdn.com not found.
File/Folder C:\WINDOWS\system32awtoolb.dll not found.
File/Folder C:\WINDOWS\system32anticipator.dll not found.
File/Folder C:\WINDOWS\system32akttzn.exe not found.
File/Folder C:\WINDOWS\mssecu.exe not found.
File/Folder C:\WINDOWS\bdn.com not found.
File/Folder C:\Documents and Settings\Amie\Desktopfwebd.exe not found.
File/Folder C:\WINDOWS\system32vbsys2.dll not found.
File/Folder C:\WINDOWS\mslagent not found.
File/Folder C:\Program Files\akl not found.
File/Folder C:\Documents and Settings\All Users\Application Data\clwrofyv not found.
File/Folder C:\WINDOWS\system32\oxsvmhij.exe not found.
File/Folder C:\WINDOWS\mgwwgmke not found.
File/Folder C:\WINDOWS\tcjgzinw.dll not found.
File/Folder C:\Program Files\Outerinfo not found.
< C:\Program Files\Common Files\T?sks /u >
File/Folder C:\Program Files\Common Files\T?sks not found.
File/Folder C:\Program Files\QdrPack not found.
File/Folder C:\WINDOWS\system32\winfrun32.bin not found.
File/Folder C:\Program Files\QdrModule not found.
File/Folder C:\Program Files\QdrDrive not found.
File/Folder C:\WINDOWS\system32\wmsdkns.exe not found.
File/Folder C:\WINDOWS\lfn.exe not found.
File/Folder C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe not found.
< C:\WINDOWS\system32\??stem32 /u >
File/Folder C:\WINDOWS\system32\??stem32 not found.
File/Folder C:\WINDOWS\winself.exe not found.
C:\WINDOWS\system32\000060.exe moved successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe moved successfully.
C:\WINDOWS\system32\000080.exe moved successfully.
C:\WINDOWS\system32\000090.exe moved successfully.
< C:\Program Files\Common Files\??crosoft /u >
File/Folder C:\Program Files\Common Files\??crosoft not found.
< C:\Program Files\Common Files\s?stem32 /u >
File/Folder C:\Program Files\Common Files\s?stem32 not found.
< C:\Program Files\Common Files\T?sks /u >
File/Folder C:\Program Files\Common Files\T?sks not found.
C:\WINDOWS\PerfInfo moved successfully.
File/Folder C:\WINDOWS\system32\STEM32~1 not found.
< purity >
< emptytemp >
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_201031

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_5d0.dat not found!
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Malware Report;

Malwarebytes' Anti-Malware 1.11
Database version: 687

Scan type: Quick Scan
Objects scanned: 62780
Time elapsed: 22 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 65

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\services (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISM (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Amie\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Amie\Local Settings\temp\BatSetup.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\9J38NXS4\BatSetup[1].exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\9RRR1TCE\syswcc32[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\J2KFJHOD\leeman[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WService.exe (BackDoor.ProRat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\fwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\fwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lili\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\temp\ie.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amie\Local Settings\temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.

DSS log;

Deckard's System Scanner v20071014.68
Run by Mark on 2008-04-26 22:17:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
94: 2008-04-27 02:17:51 UTC - RP895 - Deckard's System Scanner Restore Point
93: 2008-04-26 12:43:32 UTC - RP894 - Removed TMASOLDL
92: 2008-04-26 12:43:20 UTC - RP893 - Removed TMASOEDL
91: 2008-04-26 12:42:06 UTC - RP892 - Removed Trend Micro PC-cillin Internet Security 12
90: 2008-04-26 02:50:20 UTC - RP891 - Deckard's System Scanner Restore Point


-- First Restore Point -- 
1: 2008-02-13 23:00:29 UTC - RP802 - Software Distribution Service 3.0


Performed disk cleanup.



-- HijackThis (run as Mark.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:02 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mark\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {F4430FE8-2638-42e5-B849-800749B94EED} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 9512 bytes

-- File Associations -----------------------------------------------------------

[COLOR=red].reg - regfile - shell\open\command - regedit.exe "%1" %*[/COLOR]
[COLOR=red].scr - scrfile - shell\open\command - "%1" %*[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 ATNT40K (ActiveTouch NT Appsharing Driver) - c:\windows\system32\drivers\atnt40k.sys
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

S3 catchme - c:\docume~1\mark\locals~1\temp\catchme.sys (file missing)
S3 Tablet2k (Serial Tablet Port Driver) - "c:\windows\system32\drivers\tablet2k.sys" (file missing)
S3 TClass2k (Tablet Class Driver) - c:\windows\system32\drivers\tclass2k.sys <Not Verified; Tablet Driver; Tablet Class Driver for Win2000/XP>
S3 UCTblHid (HID Tablet Port Driver) - c:\windows\system32\drivers\uctblhid.sys <Not Verified; Tablet Driver; HID Tablet Filter Driver For Win2000/XP>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 WinTabService (WinTab Service) - "c:\windows\system32\drivers\wtsrv.exe" <Not Verified; Tablet Driver; Tablet Driver for Win2000/XP>

S4 Switch Off - c:\program files\switch off\swoff.exe -service <Not Verified; YaSoft; Switch Off>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 276)
2004-12-14 03:11:42	577536 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll <Not Verified; Adobe Systems Inc.; Adobe Acrobat Elements>
2004-12-14 01:55:14	 94208 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\adist32.dll <Not Verified; Adobe Systems Incorporated.; Adobe PDF>


-- Scheduled Tasks -------------------------------------------------------------

2008-04-26 20:45:55	   330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 20:17:38		 0 d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-26 20:17:23		 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 20:17:23		 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 13:48:35	291840 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-04-26 13:42:01	291840 --a------ C:\WINDOWS\ictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-04-26 08:51:46		 0 d-------- C:\Program Files\Alwil Software
2008-04-19 16:50:12		 0 d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-19 08:44:16	 65024 --a------ C:\Documents and Settings\All Users\Application Data\fqfopazu.dll
2008-04-19 08:44:11	 65024 --a------ C:\WINDOWS\ejafgror.dll
2008-04-19 08:43:27		 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-19 08:43:05		 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-19 08:42:26	  6656 --a------ C:\WINDOWS\tions.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-26 20:10:31		 0 d-------- C:\Program Files\Common Files
2008-04-26 09:12:43		 0 d-------- C:\Program Files\Lx_cats
2008-04-26 09:08:22		 0 d-------- C:\Program Files\PartyGaming.Net
2008-04-26 09:07:15		 0 d-------- C:\Program Files\PartyGaming
2008-04-26 09:05:37		 0 d-------- C:\Program Files\Viewpoint
2008-04-25 22:47:13		 0 d-------- C:\Program Files\Trend Micro
2008-04-25 16:21:14		 0 d-------- C:\Program Files\Quicken
2008-04-20 12:02:56		 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 20:36:43		 0 d-------- C:\Documents and Settings\Mark\Application Data\Canon
2008-03-10 19:15:11		 0 d-------- C:\Documents and Settings\Mark\Application Data\Intuit
2008-03-10 19:09:58		 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-10 19:09:56		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-10 19:07:24		 0 d-------- C:\Program Files\TurboTax
2008-03-02 15:02:20		 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/20/2005 01:06 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/20/2005 01:10 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/23/2005 02:20 AM C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [11/23/2005 03:52 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 02:12 AM]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [04/30/2007 04:19 AM]
"PhotoExplosionCalCheck"="C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [09/20/2006 12:54 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 02:37 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [1/7/2007 8:36:46 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-26 22:18:42 ------------


Thanks Again.

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 26 April 2008 - 09:38 PM

Hi mpm32,

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
FOR %%A IN (
"C:\Documents and Settings\All Users\Application Data\fqfopazu.dll"
"C:\WINDOWS\ejafgror.dll"
"C:\WINDOWS\tions.dll"
) DO (
ECHO Y|cacls %%A /g %username%:F >> results.txt 2>>&1
attrib -r -h -s %%A >> results.txt 2>>&1
del /q /a /f %%A >> results.txt 2>>&1
dir /a %%A >> results.txt 2>>&1
cacls %%A >> results.txt 2>>&1
)
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

O9 - Extra button: (no name) - {F4430FE8-2638-42e5-B849-800749B94EED} - (no file)
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Fix file associations with DSS:
  • Make sure DSS.exe is on your Desktop
  • Next press Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /daft

  • Press OK to the disclaimer(s) and then press Scan
  • Place checkmarks in all the boxes that appear and press Fix
  • Then close Deckard's System Scanner

------------------------------------------------------------------------

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://www.aumha.org...erunt-setup.exe
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Change the Save As Type to All Files and save it as fix.reg to your Desktop.
Locate fix.reg on your Desktop, if you did it right it should look like this:Posted Image
Double-click it, when it asks if you want to merge with the registry, click Yes.
You can then delete fix.reg

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the new DSS main.txt report.

#9 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 27 April 2008 - 06:28 AM

Here's the new main.txt log;


Deckard's System Scanner v20071014.68
Run by Mark on 2008-04-27 08:27:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
94: 2008-04-27 02:17:51 UTC - RP895 - Deckard's System Scanner Restore Point
93: 2008-04-26 12:43:32 UTC - RP894 - Removed TMASOLDL
92: 2008-04-26 12:43:20 UTC - RP893 - Removed TMASOEDL
91: 2008-04-26 12:42:06 UTC - RP892 - Removed Trend Micro PC-cillin Internet Security 12
90: 2008-04-26 02:50:20 UTC - RP891 - Deckard's System Scanner Restore Point


-- First Restore Point -- 
1: 2008-02-13 23:00:29 UTC - RP802 - Software Distribution Service 3.0


Performed disk cleanup.



-- HijackThis (run as Mark.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:22 AM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mark\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Amie')
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Amie')
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [Uaol] "C:\WINDOWS\system32\STEM32~1\dexplore.exe" -vt yazb (User 'Amie')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 9824 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 ATNT40K (ActiveTouch NT Appsharing Driver) - c:\windows\system32\drivers\atnt40k.sys
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

S3 catchme - c:\docume~1\mark\locals~1\temp\catchme.sys (file missing)
S3 Tablet2k (Serial Tablet Port Driver) - "c:\windows\system32\drivers\tablet2k.sys" (file missing)
S3 TClass2k (Tablet Class Driver) - c:\windows\system32\drivers\tclass2k.sys <Not Verified; Tablet Driver; Tablet Class Driver for Win2000/XP>
S3 UCTblHid (HID Tablet Port Driver) - c:\windows\system32\drivers\uctblhid.sys <Not Verified; Tablet Driver; HID Tablet Filter Driver For Win2000/XP>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 WinTabService (WinTab Service) - "c:\windows\system32\drivers\wtsrv.exe" <Not Verified; Tablet Driver; Tablet Driver for Win2000/XP>

S4 Switch Off - c:\program files\switch off\swoff.exe -service <Not Verified; YaSoft; Switch Off>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 3872)
2004-02-26 19:04:26	602112 --a------ C:\Program Files\Dell\Dell DJ Explorer\CTOJBNS.dll <Not Verified; Creative Technology Ltd; CTOJBNS Dynamic Link Library>
2002-10-28 02:01:00	 65536 --a------ C:\Program Files\Dell\Dell DJ Explorer\CTIntrfc.dll <Not Verified; Creative Technology Ltd; CTIntrfc>
2003-12-11 18:27:14	 53248 --a------ C:\Program Files\Dell\Dell DJ Explorer\DFMHK.dll <Not Verified; Creative Technology Ltd; CTL DFMHK>
2004-02-26 19:04:14	266240 --a------ C:\Program Files\Dell\Dell DJ Explorer\CTOJBRes.dll <Not Verified; Creative Technology Ltd; CTOJBNSRes>
2004-12-14 03:11:42	577536 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll <Not Verified; Adobe Systems Inc.; Adobe Acrobat Elements>
2004-12-14 01:55:14	 94208 --a------ C:\Program Files\Adobe\Acrobat 7.0\Distillr\adist32.dll <Not Verified; Adobe Systems Incorporated.; Adobe PDF>


-- Scheduled Tasks -------------------------------------------------------------

2008-04-27 07:26:47	   330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-26 20:17:38		 0 d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-04-26 20:17:23		 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 20:17:23		 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-26 13:48:35	291840 --a------ C:\WINDOWS\trictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-04-26 13:42:01	291840 --a------ C:\WINDOWS\ictions.dll <Not Verified; OldTimer Tools; OTMoveIt>
2008-04-26 08:51:46		 0 d-------- C:\Program Files\Alwil Software
2008-04-19 16:50:12		 0 d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-19 08:43:27		 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-19 08:43:05		 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2008-04-27 07:23:55		 0 d-------- C:\Program Files\Lx_cats
2008-04-26 20:10:31		 0 d-------- C:\Program Files\Common Files
2008-04-26 09:08:22		 0 d-------- C:\Program Files\PartyGaming.Net
2008-04-26 09:07:15		 0 d-------- C:\Program Files\PartyGaming
2008-04-26 09:05:37		 0 d-------- C:\Program Files\Viewpoint
2008-04-25 22:47:13		 0 d-------- C:\Program Files\Trend Micro
2008-04-25 16:21:14		 0 d-------- C:\Program Files\Quicken
2008-04-20 12:02:56		 0 d-------- C:\Program Files\SpywareBlaster
2008-03-21 20:36:43		 0 d-------- C:\Documents and Settings\Mark\Application Data\Canon
2008-03-10 19:15:11		 0 d-------- C:\Documents and Settings\Mark\Application Data\Intuit
2008-03-10 19:09:58		 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-10 19:09:56		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-10 19:07:24		 0 d-------- C:\Program Files\TurboTax
2008-03-02 15:02:20		 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/20/2005 01:06 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/20/2005 01:10 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/23/2005 02:20 AM C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [11/23/2005 03:52 AM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 05:33 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 02:12 AM]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [04/30/2007 04:19 AM]
"PhotoExplosionCalCheck"="C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [09/20/2006 12:54 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 02:37 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Mark\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [1/7/2007 8:36:46 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"AOL ACS"=2 (0x2)
"Adobe LM Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-27 08:28:08 ------------

Thanks

#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 27 April 2008 - 09:15 PM

Hi mpm32,

Was a results.txt produced on your Desktop? Please post the contents in your next response.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following line:

O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [Uaol] "C:\WINDOWS\system32\STEM32~1\dexplore.exe" -vt yazb (User 'Amie')

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Then please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Next and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt

Once complete please post the results.txt from earlier, the Kaspersky report and a new HijackThis log.

Advertisement


#11 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 28 April 2008 - 08:51 PM

Results log;

Are you sure (Y/N)?processed file: C:\Documents and Settings\All Users\Application Data\fqfopazu.dll
 Volume in drive C has no label.
 Volume Serial Number is 1CDA-84CA

 Directory of C:\Documents and Settings\All Users\Application Data

File Not Found
The system cannot find the file specified.

Are you sure (Y/N)?processed file: C:\WINDOWS\ejafgror.dll
 Volume in drive C has no label.
 Volume Serial Number is 1CDA-84CA

 Directory of C:\WINDOWS

File Not Found
The system cannot find the file specified.

Are you sure (Y/N)?processed file: C:\WINDOWS\tions.dll
 Volume in drive C has no label.
 Volume Serial Number is 1CDA-84CA

 Directory of C:\WINDOWS

File Not Found
The system cannot find the file specified.

Kaspersky report;

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Monday, April 28, 2008 10:46:28 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 28/04/2008
 Kaspersky Anti-Virus database records: 729126
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\
	H:\
	I:\

Scan Statistics:
	Total number of scanned objects: 117646
	Number of viruses found: 18
	Number of infected objects: 56
	Number of suspicious objects: 0
	Duration of the scan process: 01:50:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\552c4f10c7bc7882704d1e7e1cbf28ee_24adf822-76f7-4481-b30b-ff1b40f8687f	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01142007-201932.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/drsmartload1.exe	Infected: Trojan-Downloader.Win32.Adload.l	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmall.zip/hide_evr2.sys	Infected: Trojan-Downloader.Win32.Agent.bda	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmall.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc.zip/yzsngvox.dll	Infected: not-a-virus:AdWare.Win32.Agent.wk	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc1.zip/pepsjizk.dll	Infected: not-a-virus:AdWare.Win32.Agent.wk	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc1.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc2.zip/pcpohino.dll	Infected: not-a-virus:AdWare.Win32.Agent.wk	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc2.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc3.zip/nenyperu.dll	Infected: not-a-virus:AdWare.Win32.Agent.wk	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc3.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc4.zip/hilsdods.dll	Infected: not-a-virus:AdWare.Win32.Agent.wk	skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zlockuc4.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\Amie\Application Data\Microsoft\Outlook\outcmd.dat	Object is locked	skipped
C:\Documents and Settings\Amie\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Outlook\outlook.pst	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{619FCA78-88F8-45C1-91C9-B468F2DF47FE}	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8A516E40-A09D-436A-90E8-2995DCA66E1E}	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B3278054-7367-49A2-A3A3-C27DFA628D5A}	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Amie\Local Settings\temp\bbnew.exe	Infected: Trojan.Win32.DNSChanger.cii	skipped
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Amie\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Amie\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Mark\Application Data\Aim\dvdqbcrj\deadonthepave\cert8.db	Object is locked	skipped
C:\Documents and Settings\Mark\Application Data\Aim\dvdqbcrj\deadonthepave\key3.db	Object is locked	skipped
C:\Documents and Settings\Mark\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{41080321-C54F-41A4-9CF2-14FE62DEACA2}	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9A49909D-6546-45E2-8003-F1F8853CAE8D}	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{BF298F52-B472-4E14-83A5-7631EA5699BE}	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C49A9619-9BDA-47D7-8409-6DBAF20563C4}	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F2809E40-2BAB-4A4F-917F-1FE3730034D8}	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\temp\~DF9F73.tmp	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\nothingbutvids[1].htm	Infected: Trojan-Clicker.HTML.IFrame.mb	skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\picksparade[1].htm	Infected: Trojan-Clicker.HTML.IFrame.mb	skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O82EFQC2\nakedhall[1].htm	Infected: Trojan-Clicker.HTML.IFrame.mb	skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\Y9KJUPIL\nakedhall[1].htm	Infected: Trojan-Clicker.HTML.IFrame.mb	skipped
C:\Documents and Settings\Mark\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Mark\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP834\snapshot\MFEX-1.DAT	Infected: Trojan-Downloader.Win32.Injecter.gx	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP835\snapshot\MFEX-1.DAT	Infected: Trojan-Downloader.Win32.Injecter.gx	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP836\A0078808.exe	Infected: Trojan-Downloader.Win32.Injecter.gx	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP836\snapshot\MFEX-1.DAT	Infected: Trojan-Downloader.Win32.Injecter.gx	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP882\A0080011.dll	Infected: not-a-virus:AdWare.Win32.PurityScan.hk	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP882\A0080012.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP882\A0080016.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP882\A0080020.exe	Infected: Trojan-Downloader.Win32.Small.uww	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP884\A0080166.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP885\A0080172.dll	Infected: not-a-virus:AdWare.Win32.PurityScan.hk	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP885\A0080175.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP885\A0080179.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP887\A0080192.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP887\A0080196.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP888\A0080200.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP888\A0080204.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP890\A0080207.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP890\A0080208.dll	Infected: not-a-virus:AdWare.Win32.PurityScan.hk	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP890\A0080220.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP891\A0080236.dll	Infected: not-a-virus:AdWare.Win32.PurityScan.hk	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP894\A0080495.exe	Infected: Trojan.Win32.DNSChanger.cii	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP894\A0080500.dll	Infected: not-a-virus:AdWare.Win32.Rabio.m	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP894\A0080501.dll	Infected: not-a-virus:AdWare.Win32.Rabio.m	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP894\A0080613.exe	Infected: not-virus:Hoax.Win32.Renos.bso	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP894\A0080614.exe	Infected: not-virus:Hoax.Win32.Renos.bso	skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP896\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\default.htm	Infected: not-virus:Hoax.HTML.Secureinvites.b	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\Antivirus.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\DEFAULT	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Media Ce.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SOFTWARE	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SYSTEM	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_5f0.dat	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
C:\_OTMoveIt\MovedFiles\04262008_091710\Documents and Settings\All Users\Application Data\clwrofyv\ujsjavon.exe	Infected: Trojan.Win32.Obfuscated.we	skipped
C:\_OTMoveIt\MovedFiles\04262008_091710\WINDOWS\Ѕуmantec\lsass.exe	Infected: not-a-virus:AdWare.Win32.PurityScan.hl	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\Program Files\Common Files\Yazzle1552OinUninstaller.exe/data0001	Infected: not-a-virus:AdWare.Win32.PurityScan.gp	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\Program Files\Common Files\Yazzle1552OinUninstaller.exe	NSIS: infected - 1	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\Program Files\Outerinfo\FF\components\FF.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\Program Files\QdrModule\QdrModule15.exe	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\Program Files\QdrPack\QdrPack15.exe	Infected: not-a-virus:AdWare.Win32.AdBand.x	skipped
C:\_OTMoveIt\MovedFiles\04262008_134138\WINDOWS\system32\ѕуstem32\dexplore.exe	Infected: Trojan-Downloader.Win32.Agent.kwg	skipped
C:\_OTMoveIt\MovedFiles\04262008_201031\WINDOWS\system32\000090.exe/stream/data0004	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\_OTMoveIt\MovedFiles\04262008_201031\WINDOWS\system32\000090.exe/stream	Infected: not-a-virus:AdWare.Win32.AdBand.w	skipped
C:\_OTMoveIt\MovedFiles\04262008_201031\WINDOWS\system32\000090.exe	NSIS: infected - 2	skipped

Scan process completed.

New HiJackthis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:43 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Amie')
O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Amie')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 9552 bytes

Thanks.

#12 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 April 2008 - 09:13 PM

Hi mpm32,

Clean Spybots quarantined files:
Open Spybot - Search & Destroy
Select Recovery from the menu on the left side
Select the relevant item(s) and choose Purge selected items
Close Spybot - Search & Destroy

Restore your Desktop background:
  • Right-click your Desktop and select Properties
  • Select the Desktop tab and click the Customize Desktop... button
  • Click the Web tab, under Web pages: remove all entries by highlighting each and pressing Delete
  • My Current Home Page cannot be deleted, but make sure the box is UN-checked.
  • Then press OK, choose a wallpaper from the list and press OK.

Clean with OTMoveIt:
  • Double-click OTMoveIt2.exe
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\Documents and Settings\Amie\Local Settings\temp\bbnew.exe 
    C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\nothingbutvids[1].htm 
    C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\picksparade[1].htm 
    C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O82EFQC2\nakedhall[1].htm 
    C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\Y9KJUPIL\nakedhall[1].htm  
    C:\WINDOWS\default.htm
    EmptyTemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2

Once complete, please post the OTMoveIt report and a new HijackThis log. Also, let me know how your computer is running now, and if you had any problems with the instructions.

#13 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 29 April 2008 - 03:39 PM

My computer is running much better now. I did not have any issues with your instructions, they were excellent.

Here is the latest moveit results;

C:\Documents and Settings\Amie\Local Settings\temp\bbnew.exe moved successfully.
< C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\nothingbutvids[1].htm  >
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\nothingbutvids[1].htm moved successfully.
< C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\picksparade[1].htm  >
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\ILXUFE1O\picksparade[1].htm moved successfully.
< C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O82EFQC2\nakedhall[1].htm  >
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\O82EFQC2\nakedhall[1].htm moved successfully.
< C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\Y9KJUPIL\nakedhall[1].htm   >
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\Y9KJUPIL\nakedhall[1].htm moved successfully.
C:\WINDOWS\default.htm moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF9F73.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04292008_173244

Files moved on Reboot...
C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF9F73.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_5f0.dat not found!

HiJackthis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:42 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 9382 bytes

Thanks.

#14 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 April 2008 - 06:35 PM

Hi mpm32,

I'm glad to hear things are running better and the logs look good. Some important final steps:

Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Re-enable Windows Defender real-time protection:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, check Use real-time protection and press Save
  • Close Windows Defender

Re-enable WinPatrol:
  • Open WinPatrol via the Start Menu or by double-clicking the taskbar icon
  • Select the Options tab and check the box marked Automatically run WinPatrol when computer starts
  • Close WinPatrol

------------------------------------------------------------------------

If the above went well, I think your machine is now clean of malware :) here are some tips to help you keep it that way:

I recommend you consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, one I can recommend is Comodo:
http://www.personalf...all.comodo.com/
A tutorial on firewalls to help you get started:
http://www.bleepingc...tutorial60.html

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.

Edited by silver, 29 April 2008 - 06:35 PM.


#15 mpm32

mpm32

    Authentic Member

  • Authentic Member
  • PipPip
  • 30 posts

Posted 30 April 2008 - 04:46 PM

I think I'm all set. Thank you so much for your help. You and this site are awesome!

Advertisement




Similar Topics: [Resolved] Hijack this log     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users