Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] help help help help help


  • This topic is locked This topic is locked
23 replies to this topic

#1 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 14 April 2008 - 04:29 PM

My computer I believe has a worm from limewire. The limewire keeps opening even after I close it and when i uninstalled it it just brings up this box that says limewire cannot open because necessary files are invalid try reinstalling it again. Here is my hijack this.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:40 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\mrofinu1188.exe
C:\Documents and Settings\Bri\lsass.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\YMANTE~1\javaw.exe
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....amp;appindex=ds
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Bri\lsass.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [5ccd37a3] rundll32.exe "C:\WINDOWS\system32\mssbctmx.dll",b
O4 - HKLM\..\Run: [7B26340860737E225826] Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [Mijlyrd] C:\WINDOWS\system32\?ystem32\??oolsv.exe
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Bri\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200370412712
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
End of file - 11169 bytes



any help with this would be great!

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 19 April 2008 - 03:29 AM

Hi Bri,

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please print/save a copy of the following instructions because we will be using Safe Mode, during which time you won't have access to the internet.

Now reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Bri\lsass.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [5ccd37a3] rundll32.exe "C:\WINDOWS\system32\mssbctmx.dll",b
O4 - HKLM\..\Run: [7B26340860737E225826] Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [Mijlyrd] C:\WINDOWS\system32\?ystem32\??oolsv.exe
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
O8 - Extra context menu item: &Search -
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.


  • Open the extracted SDFix folder (usually Start->My Computer->C:->SDFix and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post the SDFix report and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
ASAP & UNITE Member

#3 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 22 April 2008 - 08:20 AM

Do you still need help with your machine? If the instructions are unclear or something isn't working, please let me know before proceeding.
ASAP & UNITE Member

#4 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 23 April 2008 - 12:49 AM

yeah so i did everything except the last part and i'm actually sending this message on my roomates computer because I can't get to this topic/page on my internet. My internet is pretty much not working because of my computer and I'm not sure what to do beacuse I can't download the DSS to finish the steps. This is really frustrating.

#5 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 23 April 2008 - 01:21 AM

Okay So i figured out how to get it downloaded. Here is the SDfix report and the two DSS logs:


SDFix: Version 1.173
Run by Bri on Mon 04/21/2008 at 10:35 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Bri\Desktop\SDFix.exe.exe - Deleted
C:\Program Files\CPV\CPV7.dll - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\nvcoi\nvcoi.exe.lzma - Deleted
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b116.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
C:\Documents and Settings\Bri\lsass.exe - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\Fonts\svchost.exe - Deleted



Folder C:\Program Files\CPV - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\WINDOWS\Fonts\' - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 23:43:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\MRT.exe 19836024 bytes
IPC error: 109 The pipe has been ended.

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 13


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\IM\\IM.exe"="C:\\Program Files\\IM\\IM.exe:*:Enabled:IM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Bri\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Bri\\Desktop\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 30 Sep 2006 88 ..SHR --- "C:\WINDOWS\system32\26FFFAF14E.sys"
Sun 18 Feb 2007 56 ..SHR --- "C:\WINDOWS\system32\4EF1FAFF26.sys"
Sun 18 Feb 2007 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 28 Mar 2008 68,608 ..SHR --- "C:\WINDOWS\?ymantec\javaw.exe"
Fri 1 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 11 Apr 2008 230,400 ..SHR --- "C:\Documents and Settings\Bri\Application Data\??crosoft\r?gedit.exe"
Fri 29 Jun 2007 834 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT27.tmp"
Wed 3 May 2006 9,506 A.SH. --- "C:\Documents and Settings\Bri\My Documents\My Music\License Backup\drmv2key.bak"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

Main:

Deckard's System Scanner v20071014.68
Run by Bri on 2008-04-23 02:06:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-04-23 07:07:06 UTC - RP624 - Deckard's System Scanner Restore Point
25: 2008-04-22 04:39:37 UTC - RP623 - Software Distribution Service 3.0
24: 2008-04-21 02:28:52 UTC - RP622 - System Checkpoint
23: 2008-04-20 02:16:51 UTC - RP621 - System Checkpoint
22: 2008-04-19 01:28:51 UTC - RP620 - System Checkpoint


-- First Restore Point --
1: 2008-03-29 04:46:35 UTC - RP599 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Bri.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:20 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\YMANTE~1\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\?ystem\?ti2evxx.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\Documents and Settings\Bri\Desktop\dss.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\avciman.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....amp;appindex=ds
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A8068E-53D1-42B2-B197-6D568843721F} - C:\WINDOWS\system32\khfDwuVm.dll (file missing)
O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: {7b478b82-140e-a6fa-84e4-95592f5d7258} - {8527d5f2-9559-4e48-af6a-e04128b874b7} - C:\WINDOWS\system32\fbfdtejh.dll
O2 - BHO: (no name) - {BAAC4286-A632-82E0-4090-A58F715A7FE4} - C:\WINDOWS\system32\nix.dll
O2 - BHO: (no name) - {DE5D52C4-F387-44DB-AA5F-9BE69C702D22} - C:\WINDOWS\system32\opnkIxyw.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [BM5ffe043f] Rundll32.exe "C:\WINDOWS\system32\tupjlyno.dll",s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Excuph] C:\WINDOWS\?ystem\?ti2evxx.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Bri\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200370412712
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: khfDwuVm - khfDwuVm.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10067 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080421-211703-101 O15 - Trusted Zone: *.errorprotector.com
backup-20080421-211703-216 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-264 O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
backup-20080421-211703-285 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
backup-20080421-211703-306 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
backup-20080421-211703-324 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Bri\lsass.exe
backup-20080421-211703-331 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
backup-20080421-211703-332 O15 - Trusted Zone: *.winfixer.com
backup-20080421-211703-339 O4 - HKLM\..\Run: [7B26340860737E225826] Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s
backup-20080421-211703-347 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20080421-211703-371 O15 - Trusted Zone: *.errorprotector.com (HKLM)
backup-20080421-211703-439 O15 - Trusted Zone: *.systemdoctor.com
backup-20080421-211703-445 O15 - Trusted Zone: *.drivecleaner.com (HKLM)
backup-20080421-211703-475 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-595 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20080421-211703-603 O15 - Trusted Zone: *.drivecleaner.com
backup-20080421-211703-656 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20080421-211703-662 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-696 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-706 O15 - Trusted Zone: *.imagesrvr.com
backup-20080421-211703-760 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20080421-211703-769 O4 - HKLM\..\Run: [5ccd37a3] rundll32.exe "C:\WINDOWS\system32\ydyrakor.dll",b
backup-20080421-211703-779 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-788 O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20080421-211703-815 O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
backup-20080421-211703-823 O15 - Trusted Zone: *.imageservr.com
backup-20080421-211703-859 O15 - Trusted Zone: *.winantivirus.com
backup-20080421-211703-871 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-873 O15 - Trusted Zone: *.errorsafe.com
backup-20080421-211703-929 O4 - HKCU\..\Run: [Mijlyrd] C:\WINDOWS\system32\?ystem32\??oolsv.exe
backup-20080421-211703-969 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20080421-211703-993 O8 - Extra context menu item: &Search -

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 netflt (Panda Net Driver [NDIS Layer]) - c:\windows\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 APPFLT (App Filter Plugin) - c:\windows\system32\drivers\appflt.sys <Not Verified; Panda Software; Panda Network Manager>
R1 DSAFLT (DSA Filter Plugin) - c:\windows\system32\drivers\dsaflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 FNETMON (NetMon Filter Plugin) - c:\windows\system32\drivers\fnetmon.sys <Not Verified; Panda Software; Panda Network Manager>
R1 IDSFLT (Ids Filter Plugin) - c:\windows\system32\drivers\idsflt.sys <Not Verified; Panda Software International; Panda residents>
R1 NETFLTDI (Panda Net Driver [TDI Layer]) - c:\windows\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
R1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shlddrv.sys <Not Verified; Panda Software; Panda®Shield>
R1 SMSFLT (SMS Filter Plugin) - c:\windows\system32\drivers\smsflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 WNMFLT (Wifi Monitor Filter Plugin) - c:\windows\system32\drivers\wnmflt.sys <Not Verified; Panda Software International; Panda Residents>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 cpoint (Panda CPoint Driver) - c:\windows\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys <Not Verified; Panda Software; PandaShield>
R3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\docume~1\bri\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 PAVFNSVR (Panda Function Service) - "c:\program files\panda software\panda internet security 2007\pavfnsvr.exe" <Not Verified; Panda Software International; Panda Residents>
R2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" <Not Verified; Panda Software; PandaShield>
R2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda internet security 2007\pavsrv51.exe" <Not Verified; Panda Software International; Panda residents>
R2 pmshellsrv (Panda Antispam Engine) - c:\program files\panda software\panda internet security 2007\antispam\pskmssvc.exe <Not Verified; Panda Software International; Panda Anti-malware>
R2 PNMSRV (Panda Network Manager) - "c:\program files\panda software\panda internet security 2007\firewall\pnmsrv.exe" <Not Verified; Panda Software International; Panda residents>
R2 PSIMSVC (Panda IManager Service) - "c:\program files\panda software\panda internet security 2007\psimsvc.exe" <Not Verified; Panda Software; Panda Antivirus>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-22 03:00:00 492 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-04-18 18:30:00 348 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL-user).job
2008-04-18 11:46:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 01:29:06 0 d-------- C:\WINDOWS\?ystem
2008-04-23 01:28:55 60928 --a------ C:\WINDOWS\system32\nix.dll
2008-04-21 22:29:18 0 d-------- C:\WINDOWS\ERUNT
2008-04-21 18:13:24 87616 --a------ C:\WINDOWS\system32\ydyrakor.dll
2008-04-21 18:10:25 98368 --a------ C:\WINDOWS\system32\fbfdtejh.dll
2008-04-21 18:09:28 97344 --a------ C:\WINDOWS\system32\tupjlyno.dll
2008-04-21 16:45:26 0 d-------- C:\WINDOWS\??stem
2008-04-13 03:16:32 3648 --a------ C:\WINDOWS\system32\clwpntfl.dll
2008-04-12 03:22:35 92736 --a------ C:\WINDOWS\system32\pgmpnuvp.dll
2008-04-12 03:16:34 3648 --a------ C:\WINDOWS\system32\rskxoyto.dll
2008-04-11 03:25:28 92736 --a------ C:\WINDOWS\system32\dmydolpt.dll
2008-04-11 03:16:28 3648 --a------ C:\WINDOWS\system32\bkhpqllb.dll
2008-04-10 03:19:43 91712 --a------ C:\WINDOWS\system32\aonmwbea.dll
2008-04-10 03:13:57 3648 --a------ C:\WINDOWS\system32\fndirirp.dll
2008-04-09 03:13:26 90688 --a------ C:\WINDOWS\system32\kccbcxjm.dll
2008-04-09 03:13:21 3648 --a------ C:\WINDOWS\system32\edqfguof.dll
2008-04-09 01:58:47 0 d-------- C:\Documents and Settings\Bri\Application Data\??crosoft
2008-04-08 02:22:34 90176 --a------ C:\WINDOWS\system32\dsnvmtoc.dll
2008-04-08 01:31:18 0 d-------- C:\Program Files\Common Files\?ymantec
2008-04-07 12:27:14 40960 --a------ C:\WINDOWS\system32\iifgfcde.dll
2008-04-07 02:25:30 89664 --a------ C:\WINDOWS\system32\altjeghh.dll
2008-04-06 02:19:35 89664 --a------ C:\WINDOWS\system32\kqospofl.dll
2008-04-06 01:24:20 0 d-------- C:\WINDOWS\system32\?ystem32
2008-04-05 02:21:10 0 d-------- C:\WINDOWS\?racle
2008-04-05 02:21:00 37888 --a------ C:\WINDOWS\system32\fccayARH.dll
2008-04-05 02:19:23 90176 --a------ C:\WINDOWS\system32\ejlshssv.dll
2008-03-31 16:28:56 0 d-------- C:\WINDOWS\pss
2008-03-29 23:18:15 297 --a------ C:\271.bat
2008-03-29 20:38:13 90176 --a------ C:\WINDOWS\system32\qjejsfxd.dll
2008-03-29 04:04:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-03-29 02:51:21 39936 --a------ C:\WINDOWS\system32\ddcDSMeF.dll
2008-03-29 01:58:57 0 d-------- C:\Program Files\Trend Micro
2008-03-29 01:36:51 39936 --a------ C:\WINDOWS\system32\urqRJBTJ.dll
2008-03-29 00:44:43 0 d-------- C:\Documents and Settings\Bri\Application Data\AdwareAlert
2008-03-29 00:44:30 0 d-------- C:\Program Files\AdwareAlert
2008-03-29 00:26:12 0 d-------- C:\Program Files\SpywareDetector
2008-03-28 23:53:00 0 d-------- C:\BFU
2008-03-28 23:46:29 4980736 --a------ C:\Documents and Settings\Bri\ntuser.dat
2008-03-28 23:32:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-28 23:22:08 0 d-------- C:\InDesign CS2 Tryout
2008-03-28 20:57:48 0 d-------- C:\Program Files\Outerinfo
2008-03-28 20:57:47 0 d-------- C:\Documents and Settings\Bri\Application Data\?racle
2008-03-28 20:57:35 0 d-------- C:\WINDOWS\?ymantec
2008-03-28 20:40:20 90688 --a------ C:\WINDOWS\system32\nayxfqwr.dll
2008-03-28 20:37:22 127040 --a------ C:\WINDOWS\system32\hyawrsuh.dll
2008-03-27 20:32:40 426175 --ahs---- C:\WINDOWS\system32\wyxIknpo.ini2
2008-03-27 20:31:19 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Find3M Report ---------------------------------------------------------------

2008-04-23 01:29:06 0 d-------- C:\Documents and Settings\Bri\Application Data\??crosoft
2008-04-21 22:41:31 0 d-------- C:\Program Files\Common Files
2008-04-08 01:31:18 0 d-------- C:\Program Files\Common Files\?ymantec
2008-04-07 12:17:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 01:24:20 0 d-------- C:\Documents and Settings\Bri\Application Data\?racle
2008-03-30 02:22:00 0 d-------- C:\Documents and Settings\Bri\Application Data\AdobeUM
2008-03-29 04:06:22 0 d-------- C:\Documents and Settings\Bri\Application Data\Adobe
2008-03-29 00:50:34 0 d-------- C:\Program Files\AIM6
2008-03-29 00:50:32 0 d-------- C:\Program Files\MSN Messenger
2008-03-29 00:50:06 0 d-------- C:\Program Files\LimeWire
2008-03-28 23:32:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-19 22:59:52 0 d-------- C:\Program Files\Plaxo
2008-03-01 12:38:24 0 d-------- C:\Program Files\The Weather Channel FW
2008-02-25 17:19:44 0 d-------- C:\Program Files\Common Files\Real
2008-02-25 04:07:14 0 d-------- C:\Program Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08A8068E-53D1-42B2-B197-6D568843721F}]
C:\WINDOWS\system32\khfDwuVm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B18DD50-C996-44fc-AC52-0FECFF82ED58}]
c:\program files\hbtools\hbtv\hbtvhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8527d5f2-9559-4e48-af6a-e04128b874b7}]
04/21/2008 06:10 PM 98368 --a------ C:\WINDOWS\system32\fbfdtejh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAAC4286-A632-82E0-4090-A58F715A7FE4}]
04/11/2008 12:51 PM 60928 --a------ C:\WINDOWS\system32\nix.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE5D52C4-F387-44DB-AA5F-9BE69C702D22}]
C:\WINDOWS\system32\opnkIxyw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"EPSON Stylus CX3800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/2006 06:13 PM]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/2006 12:09 PM]
"BM5ffe043f"="C:\WINDOWS\system32\tupjlyno.dll" [04/21/2008 06:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"Uaol"="C:\WINDOWS\YMANTE~1\javaw.exe" [03/28/2008 08:57 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"Excuph"="C:\WINDOWS\?ystem\?ti2evxx.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08A8068E-53D1-42B2-B197-6D568843721F}"= C:\WINDOWS\system32\khfDwuVm.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/2005 12:13 PM 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDwuVm]
khfDwuVm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\opnkIxyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bri^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bri\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5ccd37a3]
rundll32.exe "C:\WINDOWS\system32\irnndrna.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7B26340860737E225826]
Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5ffe043f]
Rundll32.exe "C:\WINDOWS\system32\tupjlyno.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148168156\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iprtfg]
"C:\Documents and Settings\Bri\Application Data\??crosoft\r?gedit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Bri\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
C:\WINDOWS\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
"C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywxr]
"C:\Documents and Settings\Bri\Application Data\?racle\l?rear.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-23 02:09:10 ------------

Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 502.07 MiB / 199.09 MiB
Pagefile Memory (total/avail): 1227.05 MiB / 871.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.36 MiB

C: is Fixed (NTFS) - 51.21 GiB total, 23.34 GiB free.
D: is Fixed (NTFS) - 18.6 GiB total, 0.94 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST380819AS - 74.5 GiB - 4 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 51.21 GiB - C:
\PARTITION2 - Installable File System - 18.6 GiB - D:
\PARTITION3 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE1 - CRS JET007 DISK 2.0 USB Device - 494.19 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 497.51 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Platinum 2007 Personal Firewall v11.00.02 (Panda Software)
AV: Platinum 2007 v11.00.02 (Panda Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1148168156\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\IM\\IM.exe"="C:\\Program Files\\IM\\IM.exe:*:Enabled:IM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Bri\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Bri\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bri\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRICOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bri
LOGONSERVER=\\BRICOMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Panda Software\Panda Internet Security 2007\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bri\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bri\LOCALS~1\Temp
USERDOMAIN=BRICOMPUTER
USERNAME=Bri
USERPROFILE=C:\Documents and Settings\Bri
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bri (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\SBC LightSpeed Self Support Tool\CustomUninstall.exe SBC
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5101}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe InDesign CS2 Trial --> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Console Classix 3.8 --> "C:\Program Files\ConsoleClassix.com\unins000.exe"
CPV --> cmd /C regsvr32 /u /s "C:\Program Files\CPV\CPV7.dll" & reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV" /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v DelOldFile /d "cmd.exe /C del /Q \"C:\Program Files\CPV\"" /f
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
EPSON CX 3800 Guide --> C:\Program Files\epson\guide\cx3800_e\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotbar Browser, Weather and Wowpapers Tools --> "C:\Program Files\HbTools\Bin\HbtUninst.exe" Web
Hotbar Outlook Tools --> "C:\Program Files\HbTools\Bin\HbtUninst.exe" Outlook
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Internet Service Offers Launcher --> MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Motorola Driver Installation --> MsiExec.exe /I{8F4507EF-C5F3-46CE-9718-9D3698821333}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Bri\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MyEmoticons --> C:\Program Files\MyEmoticons\uninstall.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Outerinfo --> C:\Program Files\Outerinfo\OiUninstaller.exe
Panda Internet Security 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEBA9416-3207-47E0-9022-116440599DBC}\SETUP.exe" -l0x9 -removeonly
PC Camer@ --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4815FFA5-64F3-4647-B3FD-9ECA84BD4C31} /l1033
Plaxo Toolbar for Outlook (with AIM Enhancements) --> C:\Program Files\Plaxo\2.13.1.3\uninstall.exe
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\FRAMEW~1\wxfw.cpl,4
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type13356 / Error
Event Submitted/Written: 04/23/2008 01:41:21 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type13355 / Error
Event Submitted/Written: 04/23/2008 01:41:18 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type13354 / Error
Event Submitted/Written: 04/23/2008 01:38:01 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type13348 / Error
Event Submitted/Written: 04/22/2008 07:08:16 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type13347 / Error
Event Submitted/Written: 04/22/2008 07:04:34 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14292 / Error
Event Submitted/Written: 04/23/2008 01:59:22 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type14291 / Error
Event Submitted/Written: 04/23/2008 01:59:04 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
APPFLT
DSAFLT
Fips
FNETMON
IDSFLT
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
NETFLTDI
RasAcd
Rdbss
ShldDrv
SMSFLT
Tcpip
WNMFLT
WS2IFSL

Event Record #/Type14290 / Error
Event Submitted/Written: 04/23/2008 01:59:04 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type14289 / Error
Event Submitted/Written: 04/23/2008 01:59:04 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type14288 / Error
Event Submitted/Written: 04/23/2008 01:59:04 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-04-23 02:09:10 ------------

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 23 April 2008 - 02:31 AM

Hi Bri,

One of the infections may be a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://www.aumha.org...erunt-setup.exe
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08A8068E-53D1-42B2-B197-6D568843721F}"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,6e,77,70,72,6f,76,61,75,\
  00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5ccd37a3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7B26340860737E225826]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5ffe043f]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iprtfg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywxr]
Change the Save As Type to All Files and save it as fix.reg to your Desktop.
Locate fix.reg on your Desktop, if you did it right it should look like this:Posted Image
Don't use this file yet!


Download UnDLL by Eset to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click undll.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Open the new folder and double-click UNDLL.EXE to start the program
  • Click the Select infected DLL button, then browse and select this file:

    C:\WINDOWS\system32\nix.dll

  • UnDLL will now attempt to delete the file
  • If prompted to reboot your computer, say No
  • Repeat the above steps for these files:

    C:\WINDOWS\system32\fbfdtejh.dll
    c:\windows\system32\tupjlyno.dll

  • Locate fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click Yes. You should then receive confirmation that the file was merged successfully.
  • Now reboot your computer

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!
Once complete, please post the new DSS main.txt report.
ASAP & UNITE Member

#7 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 23 April 2008 - 09:27 PM

Deckard's System Scanner v20071014.68
Run by Bri on 2008-04-23 22:20:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
26: 2008-04-23 07:07:06 UTC - RP624 - Deckard's System Scanner Restore Point
25: 2008-04-22 04:39:37 UTC - RP623 - Software Distribution Service 3.0
24: 2008-04-21 02:28:52 UTC - RP622 - System Checkpoint
23: 2008-04-20 02:16:51 UTC - RP621 - System Checkpoint
22: 2008-04-19 01:28:51 UTC - RP620 - System Checkpoint


-- First Restore Point --
1: 2008-03-29 04:46:35 UTC - RP599 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Bri.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:04 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\YMANTE~1\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\?ystem\?ti2evxx.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Bri\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....amp;appindex=ds
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08A8068E-53D1-42B2-B197-6D568843721F} - C:\WINDOWS\system32\khfDwuVm.dll (file missing)
O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {DE5D52C4-F387-44DB-AA5F-9BE69C702D22} - C:\WINDOWS\system32\opnkIxyw.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [BM5ffe043f] Rundll32.exe "C:\WINDOWS\system32\tupjlyno.dll",s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Excuph] C:\WINDOWS\?ystem\?ti2evxx.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Bri\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200370412712
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: khfDwuVm - khfDwuVm.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10000 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080421-211703-101 O15 - Trusted Zone: *.errorprotector.com
backup-20080421-211703-216 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-264 O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
backup-20080421-211703-285 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
backup-20080421-211703-306 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
backup-20080421-211703-324 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Bri\lsass.exe
backup-20080421-211703-331 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
backup-20080421-211703-332 O15 - Trusted Zone: *.winfixer.com
backup-20080421-211703-339 O4 - HKLM\..\Run: [7B26340860737E225826] Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s
backup-20080421-211703-347 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20080421-211703-371 O15 - Trusted Zone: *.errorprotector.com (HKLM)
backup-20080421-211703-439 O15 - Trusted Zone: *.systemdoctor.com
backup-20080421-211703-445 O15 - Trusted Zone: *.drivecleaner.com (HKLM)
backup-20080421-211703-475 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-595 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20080421-211703-603 O15 - Trusted Zone: *.drivecleaner.com
backup-20080421-211703-656 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20080421-211703-662 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-696 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-706 O15 - Trusted Zone: *.imagesrvr.com
backup-20080421-211703-760 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20080421-211703-769 O4 - HKLM\..\Run: [5ccd37a3] rundll32.exe "C:\WINDOWS\system32\ydyrakor.dll",b
backup-20080421-211703-779 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-788 O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20080421-211703-815 O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
backup-20080421-211703-823 O15 - Trusted Zone: *.imageservr.com
backup-20080421-211703-859 O15 - Trusted Zone: *.winantivirus.com
backup-20080421-211703-871 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-873 O15 - Trusted Zone: *.errorsafe.com
backup-20080421-211703-929 O4 - HKCU\..\Run: [Mijlyrd] C:\WINDOWS\system32\?ystem32\??oolsv.exe
backup-20080421-211703-969 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20080421-211703-993 O8 - Extra context menu item: &Search -

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 netflt (Panda Net Driver [NDIS Layer]) - c:\windows\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 APPFLT (App Filter Plugin) - c:\windows\system32\drivers\appflt.sys <Not Verified; Panda Software; Panda Network Manager>
R1 DSAFLT (DSA Filter Plugin) - c:\windows\system32\drivers\dsaflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 FNETMON (NetMon Filter Plugin) - c:\windows\system32\drivers\fnetmon.sys <Not Verified; Panda Software; Panda Network Manager>
R1 IDSFLT (Ids Filter Plugin) - c:\windows\system32\drivers\idsflt.sys <Not Verified; Panda Software International; Panda residents>
R1 NETFLTDI (Panda Net Driver [TDI Layer]) - c:\windows\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
R1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shlddrv.sys <Not Verified; Panda Software; Panda®Shield>
R1 SMSFLT (SMS Filter Plugin) - c:\windows\system32\drivers\smsflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 WNMFLT (Wifi Monitor Filter Plugin) - c:\windows\system32\drivers\wnmflt.sys <Not Verified; Panda Software International; Panda Residents>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 cpoint (Panda CPoint Driver) - c:\windows\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys <Not Verified; Panda Software; PandaShield>
R3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\docume~1\bri\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 PAVFNSVR (Panda Function Service) - "c:\program files\panda software\panda internet security 2007\pavfnsvr.exe" <Not Verified; Panda Software International; Panda Residents>
R2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" <Not Verified; Panda Software; PandaShield>
R2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda internet security 2007\pavsrv51.exe" <Not Verified; Panda Software International; Panda residents>
R2 pmshellsrv (Panda Antispam Engine) - c:\program files\panda software\panda internet security 2007\antispam\pskmssvc.exe <Not Verified; Panda Software International; Panda Anti-malware>
R2 PNMSRV (Panda Network Manager) - "c:\program files\panda software\panda internet security 2007\firewall\pnmsrv.exe" <Not Verified; Panda Software International; Panda residents>
R2 PSIMSVC (Panda IManager Service) - "c:\program files\panda software\panda internet security 2007\psimsvc.exe" <Not Verified; Panda Software; Panda Antivirus>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 748)
2005-09-27 12:13:48 45056 --a------ C:\WINDOWS\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003>

C:\WINDOWS\system32\svchost.exe (pid 1324)
2006-09-08 10:24:44 167936 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\pavlsp.dll <Not Verified; Panda Software International; Panda residents>
2006-09-08 10:57:30 131072 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\icl_cfg.dll <Not Verified; Panda Software International; Panda residents>

C:\WINDOWS\explorer.exe (pid 2148)
2006-03-06 18:08:00 102400 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\pavoepl.dll <Not Verified; Panda Software International; PavOEpl. Outlook Express Integration>


-- Scheduled Tasks -------------------------------------------------------------

2008-04-23 03:00:00 492 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-04-18 18:30:00 348 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL-user).job
2008-04-18 11:46:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 01:29:06 0 d-------- C:\WINDOWS\?ystem
2008-04-21 22:29:18 0 d-------- C:\WINDOWS\ERUNT
2008-04-21 18:13:24 87616 --a------ C:\WINDOWS\system32\ydyrakor.dll
2008-04-21 16:45:26 0 d-------- C:\WINDOWS\??stem
2008-04-13 03:16:32 3648 --a------ C:\WINDOWS\system32\clwpntfl.dll
2008-04-12 03:22:35 92736 --a------ C:\WINDOWS\system32\pgmpnuvp.dll
2008-04-12 03:16:34 3648 --a------ C:\WINDOWS\system32\rskxoyto.dll
2008-04-11 03:25:28 92736 --a------ C:\WINDOWS\system32\dmydolpt.dll
2008-04-11 03:16:28 3648 --a------ C:\WINDOWS\system32\bkhpqllb.dll
2008-04-10 03:19:43 91712 --a------ C:\WINDOWS\system32\aonmwbea.dll
2008-04-10 03:13:57 3648 --a------ C:\WINDOWS\system32\fndirirp.dll
2008-04-09 03:13:26 90688 --a------ C:\WINDOWS\system32\kccbcxjm.dll
2008-04-09 03:13:21 3648 --a------ C:\WINDOWS\system32\edqfguof.dll
2008-04-09 01:58:47 0 d-------- C:\Documents and Settings\Bri\Application Data\??crosoft
2008-04-08 02:22:34 90176 --a------ C:\WINDOWS\system32\dsnvmtoc.dll
2008-04-08 01:31:18 0 d-------- C:\Program Files\Common Files\?ymantec
2008-04-07 12:27:14 40960 --a------ C:\WINDOWS\system32\iifgfcde.dll
2008-04-07 02:25:30 89664 --a------ C:\WINDOWS\system32\altjeghh.dll
2008-04-06 02:19:35 89664 --a------ C:\WINDOWS\system32\kqospofl.dll
2008-04-06 01:24:20 0 d-------- C:\WINDOWS\system32\?ystem32
2008-04-05 02:21:10 0 d-------- C:\WINDOWS\?racle
2008-04-05 02:21:00 37888 --a------ C:\WINDOWS\system32\fccayARH.dll
2008-04-05 02:19:23 90176 --a------ C:\WINDOWS\system32\ejlshssv.dll
2008-03-31 16:28:56 0 d-------- C:\WINDOWS\pss
2008-03-29 23:18:15 297 --a------ C:\271.bat
2008-03-29 20:38:13 90176 --a------ C:\WINDOWS\system32\qjejsfxd.dll
2008-03-29 04:04:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-03-29 02:51:21 39936 --a------ C:\WINDOWS\system32\ddcDSMeF.dll
2008-03-29 01:58:57 0 d-------- C:\Program Files\Trend Micro
2008-03-29 01:36:51 39936 --a------ C:\WINDOWS\system32\urqRJBTJ.dll
2008-03-29 00:44:43 0 d-------- C:\Documents and Settings\Bri\Application Data\AdwareAlert
2008-03-29 00:44:30 0 d-------- C:\Program Files\AdwareAlert
2008-03-29 00:26:12 0 d-------- C:\Program Files\SpywareDetector
2008-03-28 23:53:00 0 d-------- C:\BFU
2008-03-28 23:46:29 4980736 --a------ C:\Documents and Settings\Bri\ntuser.dat
2008-03-28 23:32:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-28 23:22:08 0 d-------- C:\InDesign CS2 Tryout
2008-03-28 20:57:48 0 d-------- C:\Program Files\Outerinfo
2008-03-28 20:57:47 0 d-------- C:\Documents and Settings\Bri\Application Data\?racle
2008-03-28 20:57:35 0 d-------- C:\WINDOWS\?ymantec
2008-03-28 20:40:20 90688 --a------ C:\WINDOWS\system32\nayxfqwr.dll
2008-03-28 20:37:22 127040 --a------ C:\WINDOWS\system32\hyawrsuh.dll
2008-03-27 20:32:40 426175 --ahs---- C:\WINDOWS\system32\wyxIknpo.ini2
2008-03-27 20:31:19 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Find3M Report ---------------------------------------------------------------

2008-04-23 01:29:06 0 d-------- C:\Documents and Settings\Bri\Application Data\??crosoft
2008-04-21 22:41:31 0 d-------- C:\Program Files\Common Files
2008-04-08 01:31:18 0 d-------- C:\Program Files\Common Files\?ymantec
2008-04-07 12:17:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 01:24:20 0 d-------- C:\Documents and Settings\Bri\Application Data\?racle
2008-03-30 02:22:00 0 d-------- C:\Documents and Settings\Bri\Application Data\AdobeUM
2008-03-29 04:06:22 0 d-------- C:\Documents and Settings\Bri\Application Data\Adobe
2008-03-29 00:50:34 0 d-------- C:\Program Files\AIM6
2008-03-29 00:50:32 0 d-------- C:\Program Files\MSN Messenger
2008-03-29 00:50:06 0 d-------- C:\Program Files\LimeWire
2008-03-28 23:32:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-19 22:59:52 0 d-------- C:\Program Files\Plaxo
2008-03-01 12:38:24 0 d-------- C:\Program Files\The Weather Channel FW
2008-02-25 17:19:44 0 d-------- C:\Program Files\Common Files\Real
2008-02-25 04:07:14 0 d-------- C:\Program Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08A8068E-53D1-42B2-B197-6D568843721F}]
C:\WINDOWS\system32\khfDwuVm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B18DD50-C996-44fc-AC52-0FECFF82ED58}]
c:\program files\hbtools\hbtv\hbtvhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE5D52C4-F387-44DB-AA5F-9BE69C702D22}]
C:\WINDOWS\system32\opnkIxyw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"EPSON Stylus CX3800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/2006 06:13 PM]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/2006 12:09 PM]
"BM5ffe043f"="C:\WINDOWS\system32\tupjlyno.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"Uaol"="C:\WINDOWS\YMANTE~1\javaw.exe" [03/28/2008 08:57 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"Excuph"="C:\WINDOWS\?ystem\?ti2evxx.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Bri\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/2005 12:13 PM 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDwuVm]
khfDwuVm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bri^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bri\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148168156\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
C:\WINDOWS\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe


-- End of Deckard's System Scanner: finished at 2008-04-23 22:22:33 ------------


I'm thinking that it would be a good idea to reformat but would that mean I have to back up anything I don't want to lose?

Btw thank you for all your help
-bri

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 24 April 2008 - 07:09 AM

Hi Bri,

Yes, reformatting means you need to back everything up, you would be wiping the drive clean and starting again. I can clean your machine so that I am very confident there is no malware present, but if you need a 100% assurance the only way is to reformat.
Here is some more information to help you decide:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Reformatting Windows by wng_z3r0

I will now continue with instructions for cleaning but if you decide to reformat then please let me know in your next response.

------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Hotbar Browser, Weather and Wowpapers Tools
Hotbar Outlook Tools
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
MyEmoticons
Outerinfo

The Java installations are out of date and now a security risk, you can get the latest update (version 6 update 6) from here

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, uninstall these via Add/Remove Programs:

Viewpoint Manager (Remove Only)
Viewpoint Media Player


You have LimeWire, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.
You can remove Limewire via Add/Remove Programs.

------------------------------------------------------------------------

Please open this page in your browser:
http://www.bleepingc....php?channel=32

Fill in the link to topic field with a link to this topic
Copy/paste the following into the Browse to the file you want to submit field:

C:\271.bat

Then press Send File, this will upload the file for analysis

------------------------------------------------------------------------

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button
Find the entry for CPV and click it to highlight it
Then press the Delete this entry button and say Yes to the prompt.

Next, press Back, Scan and place a checkmark next to the following lines:

O2 - BHO: (no name) - {08A8068E-53D1-42B2-B197-6D568843721F} - C:\WINDOWS\system32\khfDwuVm.dll (file missing)
O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)
O2 - BHO: (no name) - {DE5D52C4-F387-44DB-AA5F-9BE69C702D22} - C:\WINDOWS\system32\opnkIxyw.dll (file missing)
O4 - HKLM\..\Run: [BM5ffe043f] Rundll32.exe "C:\WINDOWS\system32\tupjlyno.dll",s
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Excuph] C:\WINDOWS\?ystem\?ti2evxx.exe
O20 - Winlogon Notify: khfDwuVm - khfDwuVm.dll (file missing)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\WINDOWS\system32\ydyrakor.dll
    C:\WINDOWS\system32\clwpntfl.dll
    C:\WINDOWS\system32\pgmpnuvp.dll
    C:\WINDOWS\system32\rskxoyto.dll
    C:\WINDOWS\system32\dmydolpt.dll
    C:\WINDOWS\system32\bkhpqllb.dll
    C:\WINDOWS\system32\aonmwbea.dll
    C:\WINDOWS\system32\fndirirp.dll
    C:\WINDOWS\system32\kccbcxjm.dll
    C:\WINDOWS\system32\edqfguof.dll
    C:\WINDOWS\system32\dsnvmtoc.dll
    C:\WINDOWS\system32\iifgfcde.dll
    C:\WINDOWS\system32\altjeghh.dll
    C:\WINDOWS\system32\kqospofl.dll
    C:\WINDOWS\system32\fccayARH.dll
    C:\WINDOWS\system32\ejlshssv.dll
    C:\WINDOWS\system32\qjejsfxd.dll
    C:\WINDOWS\system32\ddcDSMeF.dll
    C:\WINDOWS\system32\urqRJBTJ.dll
    C:\WINDOWS\system32\nayxfqwr.dll
    C:\WINDOWS\system32\hyawrsuh.dll
    C:\WINDOWS\system32\wyxIknpo.ini2
    C:\WINDOWS\system32\fbfdtejh.dll
    C:\WINDOWS\system32\mssbctmx.dll
    C:\WINDOWS\system32\opnkIxyw.dll
    C:\Program Files\HbTools
    C:\WINDOWS\?ystem /u
    C:\WINDOWS\system32\nix.dll
    C:\WINDOWS\??stem /u
    C:\Documents and Settings\Bri\Application Data\??crosoft /u
    C:\Program Files\Common Files\?ymantec /u
    C:\WINDOWS\system32\?ystem32 /u
    C:\WINDOWS\?racle /u
    C:\Program Files\Outerinfo
    C:\Documents and Settings\Bri\Application Data\?racle /u
    C:\WINDOWS\?ymantec /u
    C:\Documents and Settings\Bri\Application Data\??crosoft /u
    C:\Program Files\Common Files\?ymantec /u
    C:\Documents and Settings\Bri\Application Data\?racle /u
    purity
    cleantemp
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2

------------------------------------------------------------------------

Clean with MalwareBytes' Anti-Malware
  • Please download the Installer to your Desktop from here:
    http://www.besttechi.../mbam-setup.exe
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to both of these options:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure everything is checked, and click Remove Selected.
  • When finished, a log will open in Notepad. Please save it to your Desktop, and post the contents in your reply.
  • The log can also be found here if you need it:
    • Start->All Programs->Malwarebytes' Anti-Malware->Logs

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the OTMoveIt report, the MalwareBytes Antimalware report and the new DSS main.txt report.
ASAP & UNITE Member

#9 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 26 April 2008 - 07:48 PM

How are you getting on? If you have decided to reformat please let me know so we can close this topic.
ASAP & UNITE Member

#10 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 27 April 2008 - 11:18 PM

I'm working on all the steps now and I should be done tonight.

    Advertisements

Register to Remove


#11 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 27 April 2008 - 11:34 PM

File/Folder C:\Program Files\HbTools not found.
< C:\WINDOWS\?ystem /u >
C:\WINDOWS\?ystem moved successfully.
File/Folder C:\WINDOWS\system32\nix.dll not found.
< C:\WINDOWS\??stem /u >
C:\WINDOWS\??stem moved successfully.
< C:\Documents and Settings\Bri\Application Data\??crosoft /u >
C:\Documents and Settings\Bri\Application Data\??crosoft moved successfully.
< C:\Program Files\Common Files\?ymantec /u >
C:\Program Files\Common Files\?ymantec moved successfully.
< C:\WINDOWS\system32\?ystem32 /u >
C:\WINDOWS\system32\?ystem32 moved successfully.
< C:\WINDOWS\?racle /u >
C:\WINDOWS\?racle moved successfully.
File/Folder C:\Program Files\Outerinfo not found.
< C:\Documents and Settings\Bri\Application Data\?racle /u >
C:\Documents and Settings\Bri\Application Data\?racle moved successfully.
< C:\WINDOWS\?ymantec /u >
C:\WINDOWS\?ymantec moved successfully.
< C:\Documents and Settings\Bri\Application Data\??crosoft /u >
File/Folder C:\Documents and Settings\Bri\Application Data\??crosoft not found.
< C:\Program Files\Common Files\?ymantec /u >
File/Folder C:\Program Files\Common Files\?ymantec not found.
< C:\Documents and Settings\Bri\Application Data\?racle /u >
File/Folder C:\Documents and Settings\Bri\Application Data\?racle not found.
< purity >
File/Folder cleantemp not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_000438



Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Quick Scan
Objects scanned: 39384
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 75
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\panda software\panda internet security 2007\PavMiCli.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tvengine.bho (Spyware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tvengine.bho.1 (Spyware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9fe6e4aa-800c-46a6-943d-dd83d90c25f0} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\panda software\panda internet security 2007\PavMiCli.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Bri\Local Settings\Temp\sdexe.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\6P9PNOFS\!update-4495[1].0000 (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\C3TVK305\26453da423d82a5fc6fae941d05f1151[1].zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\DMSCHRYS\zrt20080408[1] (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\93e4c2046fcb4ac4bdc3dbbcc28127fb[1].zip (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\c70bfcdfc030e694a9d4fcbd6c8484af[1].zip (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\S16X0Q0Q\glas[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Local Settings\Temporary Internet Files\Content.IE5\XY7F4UMD\17PHolmes[1].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Log\2008 Mar 29 - 01_35_59 AM_562.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Log\2008 Mar 29 - 12_44_43 AM_655.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Log\2008 Mar 29 - 12_44_53 AM_170.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bri\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.




tDeckard's System Scanner v20071014.68
Run by Bri on 2008-04-28 00:32:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
30: 2008-04-28 05:32:12 UTC - RP628 - Deckard's System Scanner Restore Point
29: 2008-04-28 04:00:08 UTC - RP627 - Removed Java 2 Runtime Environment, SE v1.4.2_03
28: 2008-04-28 03:58:53 UTC - RP626 - Removed J2SE Runtime Environment 5.0 Update 3
27: 2008-04-24 07:43:16 UTC - RP625 - System Checkpoint
26: 2008-04-23 07:07:06 UTC - RP624 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-03-29 04:46:35 UTC - RP599 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Bri.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:30 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\system32\dllhost.exe
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Bri\desktop\dss.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\avciman.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bri.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell....amp;appindex=ds
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 2)" /O5 "LPT1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Bri\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200370412712
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9235 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080421-211703-101 O15 - Trusted Zone: *.errorprotector.com
backup-20080421-211703-216 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-264 O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt yazb
backup-20080421-211703-285 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
backup-20080421-211703-306 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster...omeLeftPane.htm
backup-20080421-211703-324 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Bri\lsass.exe
backup-20080421-211703-331 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
backup-20080421-211703-332 O15 - Trusted Zone: *.winfixer.com
backup-20080421-211703-339 O4 - HKLM\..\Run: [7B26340860737E225826] Rundll32.exe "C:\WINDOWS\system32\hyawrsuh.dll",s
backup-20080421-211703-347 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20080421-211703-371 O15 - Trusted Zone: *.errorprotector.com (HKLM)
backup-20080421-211703-439 O15 - Trusted Zone: *.systemdoctor.com
backup-20080421-211703-445 O15 - Trusted Zone: *.drivecleaner.com (HKLM)
backup-20080421-211703-475 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-595 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20080421-211703-603 O15 - Trusted Zone: *.drivecleaner.com
backup-20080421-211703-656 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20080421-211703-662 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-696 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080421-211703-706 O15 - Trusted Zone: *.imagesrvr.com
backup-20080421-211703-760 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20080421-211703-769 O4 - HKLM\..\Run: [5ccd37a3] rundll32.exe "C:\WINDOWS\system32\ydyrakor.dll",b
backup-20080421-211703-779 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-788 O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20080421-211703-815 O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
backup-20080421-211703-823 O15 - Trusted Zone: *.imageservr.com
backup-20080421-211703-859 O15 - Trusted Zone: *.winantivirus.com
backup-20080421-211703-871 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080421-211703-873 O15 - Trusted Zone: *.errorsafe.com
backup-20080421-211703-929 O4 - HKCU\..\Run: [Mijlyrd] C:\WINDOWS\system32\?ystem32\??oolsv.exe
backup-20080421-211703-969 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20080421-211703-993 O8 - Extra context menu item: &Search -
backup-20080428-000103-217 O4 - HKLM\..\Run: [BM5ffe043f] Rundll32.exe "C:\WINDOWS\system32\tupjlyno.dll",s
backup-20080428-000103-227 O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)
backup-20080428-000103-306 O20 - Winlogon Notify: khfDwuVm - khfDwuVm.dll (file missing)
backup-20080428-000103-402 O2 - BHO: (no name) - {DE5D52C4-F387-44DB-AA5F-9BE69C702D22} - C:\WINDOWS\system32\opnkIxyw.dll (file missing)
backup-20080428-000103-891 O2 - BHO: (no name) - {08A8068E-53D1-42B2-B197-6D568843721F} - C:\WINDOWS\system32\khfDwuVm.dll (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 netflt (Panda Net Driver [NDIS Layer]) - c:\windows\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 APPFLT (App Filter Plugin) - c:\windows\system32\drivers\appflt.sys <Not Verified; Panda Software; Panda Network Manager>
R1 DSAFLT (DSA Filter Plugin) - c:\windows\system32\drivers\dsaflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 FNETMON (NetMon Filter Plugin) - c:\windows\system32\drivers\fnetmon.sys <Not Verified; Panda Software; Panda Network Manager>
R1 IDSFLT (Ids Filter Plugin) - c:\windows\system32\drivers\idsflt.sys <Not Verified; Panda Software International; Panda residents>
R1 NETFLTDI (Panda Net Driver [TDI Layer]) - c:\windows\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
R1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shlddrv.sys <Not Verified; Panda Software; Panda®Shield>
R1 SMSFLT (SMS Filter Plugin) - c:\windows\system32\drivers\smsflt.sys <Not Verified; Panda Software International; Panda Residents>
R1 WNMFLT (Wifi Monitor Filter Plugin) - c:\windows\system32\drivers\wnmflt.sys <Not Verified; Panda Software International; Panda Residents>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 cpoint (Panda CPoint Driver) - c:\windows\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys <Not Verified; Panda Software; PandaShield>
R3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\docume~1\bri\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 PAVFNSVR (Panda Function Service) - "c:\program files\panda software\panda internet security 2007\pavfnsvr.exe" <Not Verified; Panda Software International; Panda Residents>
R2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" <Not Verified; Panda Software; PandaShield>
R2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda internet security 2007\pavsrv51.exe" <Not Verified; Panda Software International; Panda residents>
R2 pmshellsrv (Panda Antispam Engine) - c:\program files\panda software\panda internet security 2007\antispam\pskmssvc.exe <Not Verified; Panda Software International; Panda Anti-malware>
R2 PNMSRV (Panda Network Manager) - "c:\program files\panda software\panda internet security 2007\firewall\pnmsrv.exe" <Not Verified; Panda Software International; Panda residents>
R2 PSIMSVC (Panda IManager Service) - "c:\program files\panda software\panda internet security 2007\psimsvc.exe" <Not Verified; Panda Software; Panda Antivirus>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 744)
2005-09-27 12:13:48 45056 --a------ C:\WINDOWS\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003>

C:\WINDOWS\system32\svchost.exe (pid 1316)
2006-09-08 10:24:44 167936 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\pavlsp.dll <Not Verified; Panda Software International; Panda residents>
2006-09-08 10:57:30 131072 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\icl_cfg.dll <Not Verified; Panda Software International; Panda residents>

C:\WINDOWS\explorer.exe (pid 464)
2006-03-06 18:08:00 102400 --a------ C:\Program Files\Panda Software\Panda Internet Security 2007\pavoepl.dll <Not Verified; Panda Software International; PavOEpl. Outlook Express Integration>


-- Scheduled Tasks -------------------------------------------------------------

2008-04-24 03:00:00 492 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-04-18 18:30:00 348 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL-user).job
2008-04-18 11:46:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 00:07:11 0 d-------- C:\Documents and Settings\Bri\Application Data\Malwarebytes
2008-04-28 00:06:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 00:06:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 22:29:18 0 d-------- C:\WINDOWS\ERUNT
2008-03-31 16:28:56 0 d-------- C:\WINDOWS\pss
2008-03-29 23:18:15 297 --a------ C:\271.bat
2008-03-29 04:04:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-03-29 01:58:57 0 d-------- C:\Program Files\Trend Micro
2008-03-29 00:26:12 0 d-------- C:\Program Files\SpywareDetector
2008-03-28 23:53:00 0 d-------- C:\BFU
2008-03-28 23:46:29 4980736 --a------ C:\Documents and Settings\Bri\ntuser.dat
2008-03-28 23:32:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-28 23:22:08 0 d-------- C:\InDesign CS2 Tryout


-- Find3M Report ---------------------------------------------------------------

2008-04-28 00:04:42 0 d-------- C:\Program Files\Common Files
2008-04-07 12:17:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-30 02:22:00 0 d-------- C:\Documents and Settings\Bri\Application Data\AdobeUM
2008-03-29 04:06:22 0 d-------- C:\Documents and Settings\Bri\Application Data\Adobe
2008-03-29 00:50:34 0 d-------- C:\Program Files\AIM6
2008-03-29 00:50:32 0 d-------- C:\Program Files\MSN Messenger
2008-03-29 00:50:06 0 d-------- C:\Program Files\LimeWire
2008-03-28 23:32:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-27 20:31:19 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-03-19 22:59:52 0 d-------- C:\Program Files\Plaxo
2008-03-01 12:38:24 0 d-------- C:\Program Files\The Weather Channel FW


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"EPSON Stylus CX3800 Series (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [02/07/2005 10:00 PM]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/2006 06:13 PM]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/2006 12:09 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Bri\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/2005 12:13 PM 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bri^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bri\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148168156\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
C:\WINDOWS\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-28 00:33:53 ------------

#12 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 April 2008 - 01:19 AM

Hi Bri,

The OTMoveIt report doesn't appear to be complete, please locate the original log and post a copy for me to see:
Open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


You followed the upload instructions correctly but it didn't work for some reason, we'll try something different:

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
ECHO Y|cacls 271.bat /g %username%:F >> results.txt 2>>&1
type 271.bat >> results.txt 2>>&1
dir "c:\PavMiCli.dll" /a /s >> results.txt 2>>&1
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Fix file associations with DSS:
  • Make sure DSS.exe is on your Desktop
  • Next press Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /daft

  • Press OK to the disclaimer(s) and then press Scan
  • Place checkmarks in the boxes marked .reg and .scr and press Fix
  • Then close Deckard's System Scanner

------------------------------------------------------------------------

Backup Your Registry again with ERUNT:
If the program is still installed, then select Start->All Programs->ERUNT->ERUNT and OK the prompts to create a new registry backup.

If the program is no longer installed, then here are the full instructions:
  • Download ERUNT to your Desktop from here:
    http://www.aumha.org...erunt-setup.exe
  • Double-click erunt-setup.exe, follow the prompts to install the program but when asked if you wish to Create an ERUNT entry in the Startup folder say No
  • ERUNT should start automatically, if it does not then click Start->All Programs->ERUNT->ERUNT
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Change the Save As Type to All Files and save it as fix.reg to your Desktop.
Locate fix.reg on your Desktop, if you did it right it should look like this:Posted Image
Double-click it, when it asks if you want to merge with the registry, click Yes.
You can then delete fix.reg

------------------------------------------------------------------------

Then please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Next and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

------------------------------------------------------------------------

Once complete, please post the full OTMoveIt report, the results.txt output, the Kaspersky report and a new HijackThis log

Edited by silver, 28 April 2008 - 01:38 AM.

ASAP & UNITE Member

#13 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 28 April 2008 - 07:07 PM

DllUnregisterServer procedure not found in C:\WINDOWS\system32\ydyrakor.dll C:\WINDOWS\system32\ydyrakor.dll NOT unregistered. C:\WINDOWS\system32\ydyrakor.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\clwpntfl.dll C:\WINDOWS\system32\clwpntfl.dll NOT unregistered. C:\WINDOWS\system32\clwpntfl.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\pgmpnuvp.dll C:\WINDOWS\system32\pgmpnuvp.dll NOT unregistered. C:\WINDOWS\system32\pgmpnuvp.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\rskxoyto.dll C:\WINDOWS\system32\rskxoyto.dll NOT unregistered. C:\WINDOWS\system32\rskxoyto.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\dmydolpt.dll C:\WINDOWS\system32\dmydolpt.dll NOT unregistered. C:\WINDOWS\system32\dmydolpt.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\bkhpqllb.dll C:\WINDOWS\system32\bkhpqllb.dll NOT unregistered. C:\WINDOWS\system32\bkhpqllb.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\aonmwbea.dll C:\WINDOWS\system32\aonmwbea.dll NOT unregistered. C:\WINDOWS\system32\aonmwbea.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\fndirirp.dll C:\WINDOWS\system32\fndirirp.dll NOT unregistered. C:\WINDOWS\system32\fndirirp.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\kccbcxjm.dll C:\WINDOWS\system32\kccbcxjm.dll NOT unregistered. C:\WINDOWS\system32\kccbcxjm.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\edqfguof.dll C:\WINDOWS\system32\edqfguof.dll NOT unregistered. C:\WINDOWS\system32\edqfguof.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\dsnvmtoc.dll C:\WINDOWS\system32\dsnvmtoc.dll NOT unregistered. C:\WINDOWS\system32\dsnvmtoc.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifgfcde.dll C:\WINDOWS\system32\iifgfcde.dll NOT unregistered. C:\WINDOWS\system32\iifgfcde.dll moved successfully. LoadLibrary failed for C:\WINDOWS\system32\altjeghh.dll C:\WINDOWS\system32\altjeghh.dll NOT unregistered. C:\WINDOWS\system32\altjeghh.dll moved successfully. LoadLibrary failed for C:\WINDOWS\system32\kqospofl.dll C:\WINDOWS\system32\kqospofl.dll NOT unregistered. C:\WINDOWS\system32\kqospofl.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\fccayARH.dll C:\WINDOWS\system32\fccayARH.dll NOT unregistered. C:\WINDOWS\system32\fccayARH.dll moved successfully. LoadLibrary failed for C:\WINDOWS\system32\ejlshssv.dll C:\WINDOWS\system32\ejlshssv.dll NOT unregistered. C:\WINDOWS\system32\ejlshssv.dll moved successfully. LoadLibrary failed for C:\WINDOWS\system32\qjejsfxd.dll C:\WINDOWS\system32\qjejsfxd.dll NOT unregistered. C:\WINDOWS\system32\qjejsfxd.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddcDSMeF.dll C:\WINDOWS\system32\ddcDSMeF.dll NOT unregistered. C:\WINDOWS\system32\ddcDSMeF.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\urqRJBTJ.dll C:\WINDOWS\system32\urqRJBTJ.dll NOT unregistered. C:\WINDOWS\system32\urqRJBTJ.dll moved successfully. LoadLibrary failed for C:\WINDOWS\system32\nayxfqwr.dll C:\WINDOWS\system32\nayxfqwr.dll NOT unregistered. C:\WINDOWS\system32\nayxfqwr.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\hyawrsuh.dll C:\WINDOWS\system32\hyawrsuh.dll NOT unregistered. C:\WINDOWS\system32\hyawrsuh.dll moved successfully. C:\WINDOWS\system32\wyxIknpo.ini2 moved successfully. File/Folder C:\WINDOWS\system32\fbfdtejh.dll not found. File/Folder C:\WINDOWS\system32\mssbctmx.dll not found. File/Folder C:\WINDOWS\system32\opnkIxyw.dll not found. File/Folder C:\Program Files\HbTools not found. < C:\WINDOWS\?ystem /u > C:\WINDOWS\ѕystem moved successfully. File/Folder C:\WINDOWS\system32\nix.dll not found. < C:\WINDOWS\??stem /u > C:\WINDOWS\ѕуstem moved successfully. < C:\Documents and Settings\Bri\Application Data\??crosoft /u > C:\Documents and Settings\Bri\Application Data\Μіcrosoft moved successfully. < C:\Program Files\Common Files\?ymantec /u > C:\Program Files\Common Files\Ѕymantec moved successfully. < C:\WINDOWS\system32\?ystem32 /u > C:\WINDOWS\system32\ѕystem32 moved successfully. < C:\WINDOWS\?racle /u > C:\WINDOWS\Оracle moved successfully. File/Folder C:\Program Files\Outerinfo not found. < C:\Documents and Settings\Bri\Application Data\?racle /u > C:\Documents and Settings\Bri\Application Data\Оracle moved successfully. < C:\WINDOWS\?ymantec /u > C:\WINDOWS\Ѕymantec moved successfully. < C:\Documents and Settings\Bri\Application Data\??crosoft /u > File/Folder C:\Documents and Settings\Bri\Application Data\??crosoft not found. < C:\Program Files\Common Files\?ymantec /u > File/Folder C:\Program Files\Common Files\?ymantec not found. < C:\Documents and Settings\Bri\Application Data\?racle /u > File/Folder C:\Documents and Settings\Bri\Application Data\?racle not found. < purity > File/Folder cleantemp not found. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_000438

#14 Bri

Bri

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 28 April 2008 - 07:29 PM

I tried doing the Kaspersky Online Scanner and I clicked accept but nothing happened. Well here are the logs from the other stuff: File/Folder C:\Program Files\HbTools not found. < C:\WINDOWS\?ystem /u > C:\WINDOWS\?ystem moved successfully. File/Folder C:\WINDOWS\system32\nix.dll not found. < C:\WINDOWS\??stem /u > C:\WINDOWS\??stem moved successfully. < C:\Documents and Settings\Bri\Application Data\??crosoft /u > C:\Documents and Settings\Bri\Application Data\??crosoft moved successfully. < C:\Program Files\Common Files\?ymantec /u > C:\Program Files\Common Files\?ymantec moved successfully. < C:\WINDOWS\system32\?ystem32 /u > C:\WINDOWS\system32\?ystem32 moved successfully. < C:\WINDOWS\?racle /u > C:\WINDOWS\?racle moved successfully. File/Folder C:\Program Files\Outerinfo not found. < C:\Documents and Settings\Bri\Application Data\?racle /u > C:\Documents and Settings\Bri\Application Data\?racle moved successfully. < C:\WINDOWS\?ymantec /u > C:\WINDOWS\?ymantec moved successfully. < C:\Documents and Settings\Bri\Application Data\??crosoft /u > File/Folder C:\Documents and Settings\Bri\Application Data\??crosoft not found. < C:\Program Files\Common Files\?ymantec /u > File/Folder C:\Program Files\Common Files\?ymantec not found. < C:\Documents and Settings\Bri\Application Data\?racle /u > File/Folder C:\Documents and Settings\Bri\Application Data\?racle not found. < purity > File/Folder cleantemp not found. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_000438 Are you sure (Y/N)?The system cannot find the file specified. The system cannot find the file specified. Volume in drive C has no label. Volume Serial Number is 5CCD-370C File Not Found

#15 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 April 2008 - 07:45 PM

Hi Bri,

I don't know what went wrong with the Kaspersky scan, we'll use a different scanner instead.

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
ECHO Y|cacls C:\271.bat /g %username%:F >> results2.txt 2>>&1
type C:\271.bat >> results2.txt 2>>&1
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results2.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and make these changes:
    • Next to Infected objects select Report
    • Next to Incurable objects select Report
    • Next to Infected containers select Report
  • At the bottom-left, UN-CHECK Prompt on action, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Then select Complete scan and press the green arrow to start the scan
  • When the scan is complete, click File-> Save report list, save the report to your desktop and close Dr Web CureIt

------------------------------------------------------------------------

Once complete, please post the results2.txt output, the Dr Web report and a new HijackThis log.
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users