Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 19 May 2008 - 11:41 PM

So I got this thing that makes my desktop go away and a bunch of popups come up and my homepage is changed to awesomehomepage.com
Trend Micro gave my a popup saying that
WINDOWS\V2lsbGll\asappsrv.dll is infected with ADW CMDDSKTOP.A and
WINDOWS\V2lsbGll\command.exe is infected with something similar
any help would be greatly appreciated here is my HiJackThis Log
-----------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:25:07 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Willie\lsass.exe
C:\WINDOWS\system32\rcntqkdm.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\jpwnw64n.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Documents and Settings\Willie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Willie\lsass.exe
O4 - HKLM\..\Run: [{9A-AF-FB-BF-DW}] c:\windows\system32\jpwnw64n.exe DWramFF
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntqkdm.exe DWramFF
O4 - HKLM\..\Run: [1c79af10] rundll32.exe "C:\WINDOWS\system32\djwbravp.dll",b
O4 - HKLM\..\Run: [{7e34f2e9-fa60-87d4-a447-8bd363c380d8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll" DllInit
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\starter.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jpwnw64n.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 28 May 2008 - 08:43 PM

Hi imahappychicken,

Please download the latest version of HijackThis from here (right-click the link, select Save Target As..., select your Desktop and press Save):
http://downloads.mal.../HJTInstall.exe

Once you have downloaded the new version, remove the old version via Start->Control Panel->Add/Remove Programs and then delete the old version from your Desktop
Then run the new version's installer HJTInstall.exe and follow the prompts.
After installing, HijackThis will open automatically, close the program for now.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%\SDFix
(Drive that contains the Windows Directory, typically C:\SDFix)

Please print/save a copy of the following instructions because we will be using Safe Mode, during which time you won't have access to the internet.

Now reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Willie\lsass.exe
O4 - HKLM\..\Run: [{9A-AF-FB-BF-DW}] c:\windows\system32\jpwnw64n.exe DWramFF
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntqkdm.exe DWramFF
O4 - HKLM\..\Run: [1c79af10] rundll32.exe "C:\WINDOWS\system32\djwbravp.dll",b
O4 - HKLM\..\Run: [{7e34f2e9-fa60-87d4-a447-8bd363c380d8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll" DllInit
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\starter.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jpwnw64n.exe

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Then run SDFix:
  • Open the extracted SDFix folder (usually Start->My Computer->C:->SDFix and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post the SDFix report and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
ASAP & UNITE Member

#3 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 28 May 2008 - 11:39 PM

Thanks a lot again!! here is the SDFix report and both DSS logs, when I open my browser it still opens up to some weird site...is there something else? Thanks again!

~Justin

<u> Main.txt </u>

Deckard's System Scanner v20071014.68
Run by Willie on 2008-05-28 22:29:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-05-29 05:29:18 UTC - RP1719 - Deckard's System Scanner Restore Point
12: 2008-05-28 05:50:24 UTC - RP1718 - System Checkpoint
11: 2008-05-23 08:51:51 UTC - RP1717 - System Checkpoint
10: 2008-05-20 21:26:10 UTC - RP1716 - System Checkpoint
9: 2008-05-19 21:23:31 UTC - RP1715 - Last known good configuration


-- First Restore Point --
1: 2008-05-11 12:34:31 UTC - RP1707 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 6.09 GiB (less than 15%) free.


-- HijackThis (run as Willie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:32 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Willie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Willie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: gooochi browser optimizer - {35a269b8-c509-07d2-55b0-024895864284} - C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8A290466-39BD-419B-93DB-0E9599506654} - C:\WINDOWS\system32\tuvUMCUo.dll
O2 - BHO: (no name) - {A7A53EDD-8034-43E9-851C-AC66A9ACEFA9} - C:\WINDOWS\system32\opnmKBrP.dll
O2 - BHO: {f9ef1185-2d1e-2a0a-46a4-45f64c4a65ca} - {ac56a4c4-6f54-4a64-a0a2-e1d25811fe9f} - C:\WINDOWS\system32\xvnjnkon.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: mysidesearch browser optimizer - {f93251b6-5423-859e-8b13-4777f967cb86} - C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O20 - Winlogon Notify: tuvUMCUo - C:\WINDOWS\SYSTEM32\tuvUMCUo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 12106 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080528-214830-127 O4 - HKLM\..\Run: [{9A-AF-FB-BF-DW}] C:\WINDOWS\system32\jpwnw64n.exe DWramFF
backup-20080528-214830-159 O4 - HKLM\..\Run: [{7e34f2e9-fa60-87d4-a447-8bd363c380d8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll" DllStart
backup-20080528-214830-287 O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
backup-20080528-214830-294 O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
backup-20080528-214830-302 O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jpwnw64n.exe
backup-20080528-214830-336 O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\starter.exe
backup-20080528-214830-426 O4 - HKLM\..\Run: [BM1f4a9c8c] Rundll32.exe "C:\WINDOWS\system32\ouhtrpjx.dll",s
backup-20080528-214830-522 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntqkdm.exe DWramFF
backup-20080528-214830-625 O4 - HKLM\..\Run: [1c79af10] rundll32.exe "C:\WINDOWS\system32\wqhxmxhi.dll",b
backup-20080528-214830-778 O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntqkdm.exe
backup-20080528-214830-816 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Willie\lsass.exe
backup-20080528-214830-899 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 si3112 - c:\windows\system32\drivers\si3112.sys <Not Verified; Silicon Image, Inc.; SiI 3112 SATALink controller>
R0 SiWinAcc - c:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows ® 2000 DDK driver>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro TDI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 catchme - c:\docume~1\willie\locals~1\temp\catchme.sys (file missing)
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S3 autorun - c:\huadio.tmp <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 FeMouWDM (Fellowes Mouse Driver) - c:\windows\system32\drivers\femouwdm.sys <Not Verified; Fellowes, Inc.; Fellowes EasyPoint Mouse Software>
S3 GoProto (GoProto Protocol Driver) - c:\windows\system32\drivers\goprot51.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics Network Module>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
R2 PccPfw (Trend Micro Personal Firewall) - c:\program files\trend micro\internet security\pccpfw.exe <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\internet security\tmntsrv.exe" <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 tmproxy (Trend Micro Proxy Service) - c:\program files\trend micro\internet security\tmproxy.exe <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&13C0B0C5&0&20
Manufacturer: Nvidia
Name: NVIDIA nForce Networking Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&13C0B0C5&0&20
Service: NVENET

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Manufacturer: Marvell
Name: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\BC724FE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\BC724FE01800
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 06:41:00 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-03-27 11:15:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 21:49:46 0 d-------- C:\WINDOWS\ERUNT
2008-05-28 21:28:34 112640 --a------ C:\WINDOWS\system32\xvnjnkon.dll
2008-05-28 21:28:31 102400 --a------ C:\WINDOWS\system32\wqhxmxhi.dll
2008-05-28 21:25:30 2560 --a------ C:\WINDOWS\system32\npebkveb.exe
2008-05-28 21:23:18 109568 --a------ C:\WINDOWS\system32\ouhtrpjx.dll
2008-05-27 22:12:33 2560 --a------ C:\WINDOWS\system32\avwgbpyp.exe
2008-05-27 22:06:34 110592 --a------ C:\WINDOWS\system32\efiiblys.dll
2008-05-27 21:09:34 109568 --a------ C:\WINDOWS\system32\cgomggsb.dll
2008-05-27 06:28:12 370688 --a------ C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
2008-05-24 10:04:40 200774 --a------ C:\WINDOWS\system32\rcntqkdn.exe
2008-05-23 23:07:10 118272 --a------ C:\WINDOWS\system32\uijitegj.dll
2008-05-23 23:04:12 2560 --a------ C:\WINDOWS\system32\ybvdjuja.exe
2008-05-22 18:15:26 109568 --a------ C:\WINDOWS\system32\dtfplvvr.dll
2008-05-21 02:30:41 118784 --a------ C:\WINDOWS\system32\osekmspk.dll
2008-05-21 02:27:40 2560 --a------ C:\WINDOWS\system32\xocghdwl.exe
2008-05-21 02:25:08 109056 --a------ C:\WINDOWS\system32\bjkuuqyn.dll
2008-05-20 02:33:48 2560 --a------ C:\WINDOWS\system32\kfgulyku.exe
2008-05-20 02:27:48 118272 --a------ C:\WINDOWS\system32\rjbyftql.dll
2008-05-20 02:24:48 109056 --a------ C:\WINDOWS\system32\ftbvsqkh.dll
2008-05-19 21:27:47 401972 --a------ C:\WINDOWS\system32\g46.exe
2008-05-19 21:21:45 49175 --a------ C:\WINDOWS\system32\jpwnw64n.exe <Not Verified; ; Browser Driver>
2008-05-19 14:23:12 804503 --ahs---- C:\WINDOWS\system32\PrBKmnpo.ini2
2008-05-19 14:23:07 374272 --a------ C:\WINDOWS\system32\opnmKBrP.dll
2008-05-19 14:18:34 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-19 14:18:21 200768 --a------ C:\WINDOWS\system32\rcntqkdm.exe
2008-05-19 14:18:21 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-19 14:18:18 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-19 14:18:17 0 d--hs---- C:\WINDOWS\V2lsbGll
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\polX
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\binR
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\3036a
2008-05-19 14:18:10 0 d-------- C:\WINDOWS\system32\logXv18
2008-05-19 14:18:05 28672 --a------ C:\WINDOWS\system32\tuvUMCUo.dll
2008-05-19 06:55:20 439808 --a------ C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-28 21:32:16 0 d-------- C:\Program Files\Trend Micro
2008-05-18 10:16:23 0 d-------- C:\Program Files\PeerGuardian2
2008-05-18 09:59:01 0 d-------- C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2008-05-11 13:03:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 14:43:08 0 d-------- C:\Program Files\Common Files
2008-04-25 14:43:08 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-25 14:43:06 0 d-------- C:\Program Files\TechSmith
2008-03-23 21:17:34 29696 ---hs---- C:\Start.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35a269b8-c509-07d2-55b0-024895864284}]
05/27/2008 06:28 AM 370688 --a------ C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A290466-39BD-419B-93DB-0E9599506654}]
05/19/2008 02:18 PM 28672 --a------ C:\WINDOWS\system32\tuvUMCUo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7A53EDD-8034-43E9-851C-AC66A9ACEFA9}]
05/19/2008 02:23 PM 374272 --a------ C:\WINDOWS\system32\opnmKBrP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ac56a4c4-6f54-4a64-a0a2-e1d25811fe9f}]
05/28/2008 09:28 PM 112640 --a------ C:\WINDOWS\system32\xvnjnkon.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f93251b6-5423-859e-8b13-4777f967cb86}]
05/19/2008 06:55 AM 439808 --a------ C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeadAIM"="C:\PROGRA~1\AIM95\\DeadAIM.ocm" [02/24/2003 04:11 PM]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 03:50 AM]
"MBM 5"="C:\Program Files\Motherboard Monitor 5\MBM5.EXE" [02/19/2004 06:47 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/24/2004 04:13 AM]
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 12:34 AM C:\WINDOWS\soundman.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security\pccguide.exe" [02/02/2006 11:35 PM]
"PCClient.exe"="C:\Program Files\Trend Micro\Internet Security\PCClient.exe" [02/02/2006 11:35 PM]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" [02/02/2006 11:35 PM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/20/2004 05:12 PM]
"Fellowes Proxy"="C:\WINDOWS\system32\r3proxy.exe" [03/25/2004 02:13 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [06/12/2005 04:53 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 01:35 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Willie\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/25/2004 10:30:35 PM]
PeerGuardian.lnk - C:\Program Files\PeerGuardian2\pg2.exe [2/25/2005 3:12:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A290466-39BD-419B-93DB-0E9599506654}"= C:\WINDOWS\system32\tuvUMCUo.dll [05/19/2008 02:18 PM 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUMCUo]
tuvUMCUo.dll 05/19/2008 02:18 PM 28672 C:\WINDOWS\system32\tuvUMCUo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnmKBrP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Willie^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Willie\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"C:\Program Files\ATI Multimedia\main\launchpd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
MMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7 Tray Control]
"C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PP8 Reminder]
"C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"SymWSC"=2 (0x2)
"Bonjour Service"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
Auto\command- C:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
Auto\command- H:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ed777a6-41eb-11da-8815-806d6172696f}]
AutoRun\command- G:\LaunchEAW.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a1aeb4e-14c7-11dc-8f11-cc0ba6dc8b00}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86932982-12df-11dd-90d2-0012178c02c5}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ab1b20-9acb-11db-8e88-0012178c02c5}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf6980f-6a64-11d9-a00f-000d61603c10}]
Auto\command- J:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- End of Deckard's System Scanner: finished at 2008-05-28 22:31:06 ------------

<u> Extra.txt </u>

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3200+
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1279.49 MiB / 726.38 MiB
Pagefile Memory (total/avail): 1901.68 MiB / 1484.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.32 GiB total, 6.09 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is CDROM (No Media)
H: is Fixed (NTFS) - 189.92 GiB total, 22.01 GiB free.

\\.\PHYSICALDRIVE1 - Maxtor 6 L200M0 SCSI Disk Device - 189.92 GiB - 1 partition
\PARTITION0 - Installable File System - 189.92 GiB - H:

\\.\PHYSICALDRIVE0 - Maxtor 6 Y080M0 SCSI Disk Device - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.32 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Trend Micro Internet Security v11.50 (Trend Micro Inc.)
AV: Trend Micro Internet Security v11.50 (Trend Micro Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn of War\\W40k.exe:*:Enabled:W40K"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"="C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe:*:Enabled:tor032"
"C:\\Program Files\\Ares Lite Edition\\AresLite.exe"="C:\\Program Files\\Ares Lite Edition\\AresLite.exe:*:Enabled:Ares Lite Edition"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe:*:Disabled:Battlefront"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Documents and Settings\\Willie\\Desktop\\CSSource\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\CSSource\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\CSSource\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\CSSource\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Documents and Settings\\Willie\\Local Settings\\Temporary Internet Files\\Content.IE5\\CAVYNJWW\\WoW-1.1.0-Installer_Downloader-enUS[1].exe"="C:\\Documents and Settings\\Willie\\Local Settings\\Temporary Internet Files\\Content.IE5\\CAVYNJWW\\WoW-1.1.0-Installer_Downloader-enUS[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"="C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\halflife 2 game\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\halflife 2 game\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Half-Life 2\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Half-Life 2\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Disabled:SoulSeek"
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"="C:\\Program Files\\myTunes Redux\\mDNSResponder.exe:*:Enabled:mDNSResponder"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\ACTOFWAR_DEMO\\actofwar.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\ACTOFWAR_DEMO\\actofwar.exe:*:Enabled:actofwar"
"C:\\Program Files\\Atari\\Act of War - Direct Action\\ACTOFWAR.EXE"="C:\\Program Files\\Atari\\Act of War - Direct Action\\ACTOFWAR.EXE:*:Enabled:ACTOFWAR"
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"="C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe:*:Enabled:BfVietnam"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"="C:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe:*:Enabled:W40kWA"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:BitTornado"
"C:\\Program Files\\TorrentStorm\\TorrentStorm.exe"="C:\\Program Files\\TorrentStorm\\TorrentStorm.exe:*:Enabled:TorrentStorm"
"H:\\GPGNet\\GPG.Multiplayer.Client.exe"="H:\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\\Supreme_commander\\Supreme Commander\\bin\\SupremeCommander.exe"="H:\\Supreme_commander\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Willie\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Willie
LOGONSERVER=\\JC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 3.5 Suite Deluxe;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Autodesk\Backburner\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Willie\LOCALS~1\Temp
TMP=C:\DOCUME~1\Willie\LOCALS~1\Temp
USERDOMAIN=JC
USERNAME=Willie
USERPROFILE=C:\Documents and Settings\Willie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Willie (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\ITE Raid Driver Setup\Uninst.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Silicon Image Raid\Uninst.isu"
--> C:\WINDOWS\IsUninst.exe -f\"C:\Program Files\Final Fantasy VII\Uninst.isu"
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3dsmax ancillary install --> MsiExec.exe /I{7C8B5E63-821A-4DFB-BDFA-19854D88EC5C}
7-Zip 4.32 --> "C:\Program Files\7-Zip\Uninstall.exe"
Active@ File Recovery 7.1 --> C:\PROGRA~1\ACTIVE~1\ACTIVE~1\UNWISE.EXE C:\PROGRA~1\ACTIVE~1\ACTIVE~1\INSTALL.LOG
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~3\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~3\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C}
Adobe Fireworks CS3 --> C:\Program Files\Common Files\Adobe\Installers\bbef028176efa5abf0233d3e1747be8\Setup.exe
Adobe Fireworks CS3 --> MsiExec.exe /I{E16110F7-1C85-4675-99F4-7938F832C825}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe InDesign CS2 --> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Premiere Pro --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Setup --> MsiExec.exe /I{15C768E2-AB61-4DE3-952F-6B237A834951}
Adobe Setup --> MsiExec.exe /I{2274624C-5B38-41AD-AD27-CEC0924EB628}
Adobe Setup --> MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe Stock Photos CS3 --> C:\Program Files\Common Files\Adobe\Installers\cbb2ea61da9c780bd7e47a5230a9ed7\Setup.exe
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Ahead InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
AltoMP3 Gold 5.12 --> C:\Program Files\AltoMP3 Gold\uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares Lite Edition 1.8.1 --> "C:\Program Files\Ares Lite Edition\uninstall.exe"
AsusUpdate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x575c
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk 3ds Max 9 32-bit --> MsiExec.exe /I{E96D4088-AAC5-437F-9E39-EC0E387897B4}
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Backburner --> MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
Battlefield 2™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
BitTornado 0.3.7 --> C:\Program Files\BitTornado\uninst.exe
BSPlayer --> "C:\Program Files\Webteh\BSplayer\uninstall.exe"
Camtasia Studio 5 --> MsiExec.exe /I{7BB40A22-8D98-43F9-A08A-E7EFF5AB1324}
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
Creative DVD Audio Plugin for Audigy Series --> "C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
Cucusoft iPod Video Converter 3.11 --> "C:\Program Files\Cucusoft\ipod-converter\unins000.exe"
CureROM 1.2.2 --> C:\Program Files\CureROM\uninst.exe
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DAZ|Studio1.8.1.5 --> C:\WINDOWS\unvise32.exe C:\Program Files\DAZ\Studio\DAZ Studio Uninstall.log
DeadAIM --> MsiExec.exe /I{25AF0BD1-DF07-4447-8E91-28E99617C556}
Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Drempels (remove only) --> "C:\Program Files\Drempels\uninst-drempels.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Platinum 2.81 --> "C:\Program Files\DVDFab Platinum\unins000.exe"
EasyPoint Mouse Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB79C19C-5C47-4A31-B4EA-D19B4F741329}\Setup.exe" -l0x9
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll-uninst.exe
EphPod --> C:\PROGRA~1\EphPod\UNWISE.EXE C:\PROGRA~1\EphPod\INSTALL.LOG
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\setup.exe" -l0x9 -anything
FBX Plugin 2006.08 for Max 9.0 --> C:\Program Files\Autodesk\FBX\FbxPlugins\2006.08\Max90\Uninstall.exe
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
Final Fantasy VII - Ultima Edition --> "C:\Program Files\Final Fantasy VII\unins000.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
GIF Movie Gear 4.0.2 --> "C:\Program Files\GIF Movie Gear\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
GPGNet --> MsiExec.exe /I{C194D333-B84A-4BB7-B35E-060732D98DC4}
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotline Client 1.8.5 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hotline Communications Ltd.\Hotline Client 1.8.5\DeIsL1.isu" -c"C:\Program Files\Hotline Communications Ltd.\Hotline Client 1.8.5\_ISREG32.DLL"
Indeo® software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Uninst.isu" -c"C:\Program Files\Intel\Indeo\SavedSystemFiles\indounin.dll"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD 6 --> "C:\Program Files\InstallShield Installation Information\{6ACA2FD2-4C4A-42F3-AFB5-7B433BBDF6DB}\setup.exe" REMOVEALL
iPod for Windows 2005-06-26 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FE7A3FE1-AF76-44FD-BC70-09868A51887A} /l1033
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
IsoBuster 1.9 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 510 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBZUN5C.EXE -dLexmark 510 Series
Linksys EasyLink Advisor 1.5 (1010) --> rundll32 C:\PROGRA~1\LINKSY~2\AUInst.dll,ExUninstall
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Matroska Pack - Lazy Man's MKV 0.9.9 --> "C:\Program Files\LD-Anime\unins000.exe"
MaxBlast 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\setup.exe"
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Medieval Total War --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Total War\Medieval - Total War\Uninst.isu"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Motherboard Monitor 5 --> "C:\Program Files\Motherboard Monitor 5\unins001.exe"
Move Networks Player for Firefox --> "C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Converter Simple --> C:\PROGRA~1\MP3CON~1\UNWISE.EXE C:\PROGRA~1\MP3CON~1\INSTALL.LOG
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MySidesearch Search Assistant Adzgalore --> C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll-uninst.exe
myTunes Redux 1.0 --> "C:\Program Files\myTunes Redux\unins000.exe"
Nav Subscription year 2002 - 2003 for Win95 to XP --> C:\Documents and Settings\All Users\Application Data\Symantec\LiveSubscribe\Uninstal.exe
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Net Transport 1.94.279 --> "C:\Program Files\Xi\NetTransport 2\unins000.exe"
NJStar Communicator --> "C:\Program Files\NJStar Communicator\Remove.exe" /U:"C:\Program Files\NJStar Communicator\Remove.log"
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
NovaBACKUP --> MsiExec.exe /I{A14F19F4-2E19-4CA5-83AB-FC9EE3FEA1E0}
NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
PartyPoker --> "c:\program files\PartyGaming\PartyPoker\Uninstall.exe" "c:\program files\PartyGaming\PartyPoker\install.log"
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Phun beta 3.12 --> "C:\Program Files\Phun\unins000.exe"
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
ratDVD 0.6.1122 --> C:\Program Files\ratDVD\uninst.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SereneScene Marine Aquarium 2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SereneScreen\Marine Aquarium 2\Uninst.isu"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Steam --> C:\PROGRA~1\Valve\Steam\UNWISE.EXE C:\PROGRA~1\Valve\Steam\INSTALL.LOG
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Supreme Commander --> C:\Program Files\InstallShield Installation Information\{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}\setup.exe -runfromtemp -l0x0009 -removeonly
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
TorrentStorm --> C:\Program Files\TorrentStorm\Uninstall.exe
Trend Micro Internet Security --> MsiExec.exe /X{3943C4CF-AC42-4E00-8824-25159B8478F1}
Ulead DVD MovieFactory 3.5 Suite Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7D89BBE-D4B3-49E8-B185-7966B5345866}\setup.exe" -l0x9
Ulead VideoStudio 8.0 SE DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9
Universal File Splitter & Merger 1.21 --> "C:\Program Files\Universal File Splitter & Merger\unins000.exe"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Virtual Cable Tester --> MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinAVI Video Converter 5.8 --> "C:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
winvi (remove only) --> "C:\Program Files\winvi\uninst.exe"
World in Conflict --> C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui


-- Application Event Log -------------------------------------------------------

Event Record #/Type6907 / Error
Event Submitted/Written: 05/27/2008 10:18:36 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x034b1569.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type6906 / Error
Event Submitted/Written: 05/27/2008 09:46:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module opnmkbrp.dll, version 0.0.0.0, fault address 0x0003109f.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type6905 / Error
Event Submitted/Written: 05/27/2008 09:40:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module opnmkbrp.dll, version 0.0.0.0, fault address 0x0003109f.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type6847 / Error
Event Submitted/Written: 05/21/2008 10:09:55 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application pccguide.exe, version 11.50.0.5503, faulting module unknown, version 0.0.0.0, fault address 0x42c1d0f9.
Processing media-specific event for [pccguide.exe!ws!]

Event Record #/Type6845 / Error
Event Submitted/Written: 05/21/2008 09:38:08 AM / 05/21/2008 09:38:09 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type153434 / Error
Event Submitted/Written: 05/28/2008 10:05:48 PM / 05/28/2008 10:06:05 PM
Event ID/Source: 55 / Ntfs
Event Description:
The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume H:.

Event Record #/Type153430 / Error
Event Submitted/Written: 05/28/2008 10:05:23 PM / 05/28/2008 10:06:05 PM
Event ID/Source: 55 / Ntfs
Event Description:
The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume H:.

Event Record #/Type153425 / Warning
Event Submitted/Written: 05/28/2008 10:06:05 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10004.

Event Record #/Type153424 / Warning
Event Submitted/Written: 05/28/2008 10:06:05 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012178C02C5. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type153421 / Error
Event Submitted/Written: 05/28/2008 10:04:15 PM
Event ID/Source: 15 / Cdrom
Event Description:
The device, \Device\CdRom2, is not ready for access yet.



-- End of Deckard's System Scanner: finished at 2008-05-28 22:31:06 ------------

<u> Report.txt </u>


SDFix: Version 1.186
Run by Willie on Wed 05/28/2008 at 09:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TCPIPP

Path :
System32\drivers\tcpipp.sys

TCPIPP - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\local.xml - Deleted
C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\log.txt - Deleted
C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\version.ini - Deleted
C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\Cache\d6e9bb027c32ce9950910af1fce37bb9.xml - Deleted
C:\autorun.inf - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\dbar\basis.xml - Deleted
C:\Program Files\dbar\channel.tmpl - Deleted
C:\Program Files\dbar\content.tmpl - Deleted
C:\Program Files\dbar\date.tmpl - Deleted
C:\Program Files\dbar\dbaruninst.exe - Deleted
C:\Program Files\dbar\deskbar.crc - Deleted
C:\Program Files\dbar\deskbar.dll - Deleted
C:\Program Files\dbar\deskbar.inf - Deleted
C:\Program Files\dbar\edit_rss.tmpl - Deleted
C:\Program Files\dbar\local.xml - Deleted
C:\Program Files\dbar\nav1.bmp - Deleted
C:\Program Files\dbar\nav2.bmp - Deleted
C:\Program Files\dbar\new_alert.tmpl - Deleted
C:\Program Files\dbar\version.ini - Deleted
C:\Program Files\dbar\version.txt - Deleted
C:\Program Files\winvi\Uninst.exe - Deleted
C:\Program Files\winvi\update.exe - Deleted
C:\Program Files\winvi\version.ini - Deleted
C:\Program Files\winvi\wupda.exe - Deleted
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted
C:\Program Files\winvi\dsktp\desktop.html - Deleted
C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted
C:\Program Files\winvi\dsktp\settings.sol - Deleted
C:\Program Files\winvi\icons\bufferthis.ico - Deleted
C:\Program Files\winvi\icons\flashfunpages.ico - Deleted
C:\Program Files\winvi\icons\funnies.ico - Deleted
C:\Program Files\winvi\icons\funnyfunpages.ico - Deleted
C:\Program Files\winvi\icons\goodcleanvideos.ico - Deleted
C:\Program Files\winvi\icons\newfunpages.ico - Deleted
C:\Program Files\winvi\icons\positivethoughts.ico - Deleted
C:\Program Files\winvi\icons\removespyware.ico - Deleted
C:\Program Files\winvi\icons\thissiterocks.ico - Deleted
C:\Program Files\winvi\temp\version.ini - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
C:\Documents and Settings\Willie\lsass.exe - Deleted
C:\Documents and Settings\Willie\services.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\TCPIPP.sys - Deleted



Folder C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E} - Removed
Folder C:\Program Files\dbar - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 22:12:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:70,85,8a,2a,13,19,8b,0e,c0,bf,7b,f9,18,65,f0,3e,0a,1b,af,31,f6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,49,39,7d,a0,46,a5,15,90,29,9a,85,fa,77,38,4d,54,7f,..
"khjeh"=hex:1f,d2,52,33,ca,6e,3c,ec,7d,d6,e9,97,bc,e3,37,e1,c0,b6,5f,b3,aa,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:17,95,01,6e,02,3f,a7,41,45,6b,85,5c,44,15,50,6f,72,e2,b3,91,de,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:70,85,8a,2a,13,19,8b,0e,c0,bf,7b,f9,18,65,f0,3e,0a,1b,af,31,f6,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,49,39,7d,a0,46,a5,15,90,29,9a,85,fa,77,38,4d,54,7f,..
"khjeh"=hex:1f,d2,52,33,ca,6e,3c,ec,7d,d6,e9,97,bc,e3,37,e1,c0,b6,5f,b3,aa,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:17,95,01,6e,02,3f,a7,41,45,6b,85,5c,44,15,50,6f,72,e2,b3,91,de,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,8d,a8,63,39,9b,19,da,d3,a5,25,3d,1d,fa,ab,d0,20,d6,..
"ljej40"=hex:ea,eb,2e,29,0a,78,2b,69,e0,e6,c7,54,49,41,cf,6a,ff,4d,e7,f2,4d,..
"ljej41"=hex:73,eb,2e,29,72,78,2b,69,e1,e6,c6,54,48,41,cf,6a,ff,4d,e7,f2,0e,..
"ljej42"=hex:73,eb,2e,29,72,78,2b,69,e1,e6,c6,54,48,41,cf,6a,ff,4d,e7,f2,0e,..
"ljej43"=hex:73,eb,2e,29,72,78,2b,69,e1,e6,c6,54,48,41,cf,6a,ff,4d,e7,f2,0e,..
"ljej44"=hex:73,eb,2e,29,72,78,2b,69,e1,e6,c6,54,48,41,cf,6a,ff,4d,e7,f2,0e,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{642DCC67-19A2-E67F-A82A-18C58641A8E9}]
"dbpjkmapbdmoihdajkbbdfgeaonmekalkobfbffh"=hex:6b,61,62,6a,65,64,6a,6b,67,6e,66,65,70,68,6b,6f,6c,6a,70,6c,66,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn of War\\W40k.exe:*:Enabled:W40K"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"="C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe:*:Enabled:tor032"
"C:\\Program Files\\Ares Lite Edition\\AresLite.exe"="C:\\Program Files\\Ares Lite Edition\\AresLite.exe:*:Enabled:Ares Lite Edition"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe:*:Disabled:Battlefront"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Documents and Settings\\Willie\\Desktop\\CSSource\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\CSSource\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\CSSource\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\CSSource\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Documents and Settings\\Willie\\Local Settings\\Temporary Internet Files\\Content.IE5\\CAVYNJWW\\WoW-1.1.0-Installer_Downloader-enUS[1].exe"="C:\\Documents and Settings\\Willie\\Local Settings\\Temporary Internet Files\\Content.IE5\\CAVYNJWW\\WoW-1.1.0-Installer_Downloader-enUS[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"="C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\halflife 2 game\\hl2.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\halflife 2 game\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Half-Life 2\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\User\\Half-Life 2\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Disabled:SoulSeek"
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"="C:\\Program Files\\myTunes Redux\\mDNSResponder.exe:*:Enabled:mDNSResponder"
"C:\\Documents and Settings\\Willie\\Desktop\\Games\\ACTOFWAR_DEMO\\actofwar.exe"="C:\\Documents and Settings\\Willie\\Desktop\\Games\\ACTOFWAR_DEMO\\actofwar.exe:*:Enabled:actofwar"
"C:\\Program Files\\Atari\\Act of War - Direct Action\\ACTOFWAR.EXE"="C:\\Program Files\\Atari\\Act of War - Direct Action\\ACTOFWAR.EXE:*:Enabled:ACTOFWAR"
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"="C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe:*:Enabled:BfVietnam"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"="C:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe:*:Enabled:W40kWA"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:BitTornado"
"C:\\Program Files\\TorrentStorm\\TorrentStorm.exe"="C:\\Program Files\\TorrentStorm\\TorrentStorm.exe:*:Enabled:TorrentStorm"
"H:\\GPGNet\\GPG.Multiplayer.Client.exe"="H:\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="H:\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\\Supreme_commander\\Supreme Commander\\bin\\SupremeCommander.exe"="H:\\Supreme_commander\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 23 Mar 2008 29,696 ..SH. --- "C:\Start.exe"
Wed 8 Jun 2005 104 ..SHR --- "C:\WINDOWS\system32\4FB6C6D4A8.sys"
Wed 16 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 9 May 2006 19,968 ...H. --- "C:\Documents and Settings\Willie\My Documents\~WRL0065.tmp"
Tue 9 May 2006 20,480 ...H. --- "C:\Documents and Settings\Willie\My Documents\~WRL0152.tmp"
Tue 9 May 2006 19,456 ...H. --- "C:\Documents and Settings\Willie\My Documents\~WRL1738.tmp"
Wed 13 Oct 2004 20,480 ...H. --- "C:\Documents and Settings\Willie\My Documents\~WRL2290.tmp"
Tue 9 May 2006 19,456 ...H. --- "C:\Documents and Settings\Willie\My Documents\~WRL2301.tmp"
Tue 13 Jul 2004 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 13 Jul 2004 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 13 Jul 2004 158,410 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"
Tue 2 Aug 2005 188,034 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\QUARANTINE\101.tmp"
Tue 2 Aug 2005 294,016 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\QUARANTINE\102.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT2.tmp"
Sat 12 Feb 2005 19,456 ...H. --- "C:\Documents and Settings\Willie\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 13 Oct 2004 19,968 ...H. --- "C:\Documents and Settings\Willie\Application Data\Microsoft\Word\~WRL0119.tmp"
Wed 13 Oct 2004 19,456 ...H. --- "C:\Documents and Settings\Willie\Application Data\Microsoft\Word\~WRL0923.tmp"
Wed 1 Nov 2006 19,968 ...H. --- "C:\Documents and Settings\Willie\Application Data\Microsoft\Word\~WRL2122.tmp"
Mon 24 Dec 2007 1,745 ...HR --- "C:\Documents and Settings\Willie\Application Data\SecuROM\UserData\securom_v7_01.bak"
Wed 16 Mar 2005 4,348 ...H. --- "C:\Documents and Settings\Willie\My Documents\My Music\License Backup\drmv1key.bak"
Mon 18 Jul 2005 20 A..H. --- "C:\Documents and Settings\Willie\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 16 Mar 2005 400 A.SH. --- "C:\Documents and Settings\Willie\My Documents\My Music\License Backup\drmv2key.bak"
Thu 24 Aug 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 24 Aug 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 May 2008 - 01:25 AM

Hi imahappychicken,

Your machine is still heavily infected, we have removed some of the malware but there's a bit to go yet.

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8A290466-39BD-419B-93DB-0E9599506654}"=-
Select File and Save as
Save it to your Desktop as "fix.reg" (you MUST type the quotes)
Don't use this file yet

------------------------------------------------------------------------

Download UnDLL by Eset to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click undll.zip, select Extract All... and follow the prompts to extract UNDLL.EXE to a new folder on your Desktop
  • Open the new folder and double-click UNDLL.EXE to start the program
  • Click the Select infected DLL button, then browse and select this file:

    C:\WINDOWS\system32\tuvUMCUo.dll

  • UnDLL will now attempt to delete the file
  • If prompted to reboot your computer, say No
  • Repeat the above steps for these files:

    C:\WINDOWS\system32\opnmKBrP.dll
    C:\WINDOWS\system32\xvnjnkon.dll

  • Locate fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click Yes. You should then receive confirmation that the file was merged successfully.
  • Now reboot your computer

------------------------------------------------------------------------

Please download Suspicious File Packer to your Desktop.
  • Right-click sfp.zip, choose Extract All... and extract sfp.exe to your Desktop
  • Double-click sfp.exe to start the program
  • Copy and Paste the following file list into the text box of the program:

    C:\WINDOWS\system32\4FB6C6D4A8.sys
    C:\Start.exe
    c:\huadio.tmp

  • Now press the Continue button
  • A file called requested-files[YYYY-MM-DD_MM_ss].cab will appear on your Desktop.
  • Now open this page in your browser
  • Press Browse and browse to the requested-files[YYYY-MM-DD_MM_ss].cab file on your Desktop, fill in the other fields as appropriate then press Send File

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
dir C:\WINDOWS\V2lsbGll /a /s >> results.txt 2>>&1
dir C:\WINDOWS\system32\polX /a /s >> results.txt 2>>&1
dir C:\WINDOWS\system32\GUI2 /a /s >> results.txt 2>>&1
dir C:\WINDOWS\system32\binR /a /s >> results.txt 2>>&1
dir C:\WINDOWS\system32\3036a /a /s >> results.txt 2>>&1
dir C:\WINDOWS\system32\logXv18 /a /s >> results.txt 2>>&1
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Then, make a new main.txt with DSS:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /config

  • A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!
Once complete, please post the results.txt output and a new DSS main.txt report.
ASAP & UNITE Member

#5 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 29 May 2008 - 02:00 AM

Here's the results.txt and main.txt

results.txt
-------------------------

Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\V2lsbGll

05/19/2008 02:18 PM <DIR> .
05/19/2008 02:18 PM <DIR> ..
07/29/2005 04:24 PM 472 pZ5Pv355.vbs
1 File(s) 472 bytes

Total Files Listed:
1 File(s) 472 bytes
2 Dir(s) 6,490,296,320 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\system32\polX

05/19/2008 02:18 PM <DIR> .
05/19/2008 02:18 PM <DIR> ..
05/02/2008 04:22 PM 300,672 roEbdll2.exe
1 File(s) 300,672 bytes

Total Files Listed:
1 File(s) 300,672 bytes
2 Dir(s) 6,490,292,224 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\system32\GUI2

05/19/2008 02:18 PM <DIR> .
05/19/2008 02:18 PM <DIR> ..
05/05/2008 09:16 AM 127,488 FI-dt4x.exe
1 File(s) 127,488 bytes

Total Files Listed:
1 File(s) 127,488 bytes
2 Dir(s) 6,490,292,224 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\system32\binR

05/19/2008 02:18 PM <DIR> .
05/19/2008 02:18 PM <DIR> ..
04/22/2008 08:49 PM 49,152 Wvram13.exe
1 File(s) 49,152 bytes

Total Files Listed:
1 File(s) 49,152 bytes
2 Dir(s) 6,490,292,224 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\system32\3036a

05/19/2008 10:20 PM <DIR> .
05/19/2008 10:20 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 6,490,292,224 bytes free
Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\WINDOWS\system32\logXv18

05/19/2008 02:18 PM <DIR> .
05/19/2008 02:18 PM <DIR> ..
05/09/2008 02:25 PM 32,768 logXv182328.exe
1 File(s) 32,768 bytes

Total Files Listed:
1 File(s) 32,768 bytes
2 Dir(s) 6,490,292,224 bytes free



main.txt
------------------------------

Deckard's System Scanner v20071014.68
Run by Willie on 2008-05-29 00:57:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
13: 2008-05-29 05:29:18 UTC - RP1719 - Deckard's System Scanner Restore Point
12: 2008-05-28 05:50:24 UTC - RP1718 - System Checkpoint
11: 2008-05-23 08:51:51 UTC - RP1717 - System Checkpoint
10: 2008-05-20 21:26:10 UTC - RP1716 - System Checkpoint
9: 2008-05-19 21:23:31 UTC - RP1715 - Last known good configuration


-- First Restore Point --
1: 2008-05-11 12:34:31 UTC - RP1707 - System Checkpoint


Performed disk cleanup.

System Drive C: has 9.13 GiB (less than 15%) free.


-- HijackThis (run as Willie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:01 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Willie\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Willie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: gooochi browser optimizer - {35a269b8-c509-07d2-55b0-024895864284} - C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: mysidesearch browser optimizer - {f93251b6-5423-859e-8b13-4777f967cb86} - C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 11797 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080528-214830-127 O4 - HKLM\..\Run: [{9A-AF-FB-BF-DW}] C:\WINDOWS\system32\jpwnw64n.exe DWramFF
backup-20080528-214830-159 O4 - HKLM\..\Run: [{7e34f2e9-fa60-87d4-a447-8bd363c380d8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll" DllStart
backup-20080528-214830-287 O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
backup-20080528-214830-294 O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
backup-20080528-214830-302 O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jpwnw64n.exe
backup-20080528-214830-336 O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Willie\Application Data\Deskbar_{07ECFE38-D473-4a3c-BCEA-85332873759E}\starter.exe
backup-20080528-214830-426 O4 - HKLM\..\Run: [BM1f4a9c8c] Rundll32.exe "C:\WINDOWS\system32\ouhtrpjx.dll",s
backup-20080528-214830-522 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntqkdm.exe DWramFF
backup-20080528-214830-625 O4 - HKLM\..\Run: [1c79af10] rundll32.exe "C:\WINDOWS\system32\wqhxmxhi.dll",b
backup-20080528-214830-778 O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntqkdm.exe
backup-20080528-214830-816 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Willie\lsass.exe
backup-20080528-214830-899 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsea...e.com/start.php

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 si3112 - c:\windows\system32\drivers\si3112.sys <Not Verified; Silicon Image, Inc.; SiI 3112 SATALink controller>
R0 SiWinAcc - c:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows ® 2000 DDK driver>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro TDI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

S3 autorun - c:\huadio.tmp <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 catchme - c:\docume~1\willie\locals~1\temp\catchme.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 FeMouWDM (Fellowes Mouse Driver) - c:\windows\system32\drivers\femouwdm.sys <Not Verified; Fellowes, Inc.; Fellowes EasyPoint Mouse Software>
S3 GoProto (GoProto Protocol Driver) - c:\windows\system32\drivers\goprot51.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics Network Module>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
R2 PccPfw (Trend Micro Personal Firewall) - c:\program files\trend micro\internet security\pccpfw.exe <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 Tmntsrv (Trend NT Realtime Service) - "c:\program files\trend micro\internet security\tmntsrv.exe" <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 tmproxy (Trend Micro Proxy Service) - c:\program files\trend micro\internet security\tmproxy.exe <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&13C0B0C5&0&20
Manufacturer: Nvidia
Name: NVIDIA nForce Networking Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_80A71043&REV_A1\3&13C0B0C5&0&20
Service: NVENET

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Manufacturer: Marvell
Name: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\BC724FE01800
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\BC724FE01800
Service: NIC1394


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 276)
2004-03-18 09:26:48 114688 --a------ C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL <Not Verified; Logitech Inc.; Productivity Software Common Files>
2004-03-18 09:26:50 4608 --a------ C:\Program Files\Logitech\iTouch\itchhk.dll <Not Verified; Logitech Inc.; iTouch>
2002-10-24 13:03:38 290816 -----n--- C:\WINDOWS\system32\l3codeca.acm <Not Verified; Fraunhofer Institut Integrierte Schaltungen IIS; MPEG Layer-3 Audio Codec for MSACM>
2004-03-18 09:26:12 5120 --a------ C:\Program Files\Logitech\iTouch\KbdHook.dll <Not Verified; Logitech Inc.; iTouch>
2004-05-14 07:10:48 69632 --a------ C:\Program Files\Trend Micro\Internet Security\Tmdshell.dll <Not Verified; Trend Micro Incorporated.; Trend Pc-cillin 11>
2004-07-05 21:57:08 121344 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-06-05 14:06:22 20992 --a------ C:\Program Files\MagicISO\misosh.dll <Not Verified; MagicISO, Inc.; MagicISO Shell Extension Module>
2005-12-09 01:11:06 136704 --a------ C:\Program Files\7-Zip\7-zip.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 22:41:13 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-03-27 11:15:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-28 21:49:46 0 d-------- C:\WINDOWS\ERUNT
2008-05-28 21:28:31 102400 --a------ C:\WINDOWS\system32\wqhxmxhi.dll
2008-05-28 21:25:30 2560 --a------ C:\WINDOWS\system32\npebkveb.exe
2008-05-28 21:23:18 109568 --a------ C:\WINDOWS\system32\ouhtrpjx.dll
2008-05-27 22:12:33 2560 --a------ C:\WINDOWS\system32\avwgbpyp.exe
2008-05-27 22:06:34 110592 --a------ C:\WINDOWS\system32\efiiblys.dll
2008-05-27 21:09:34 109568 --a------ C:\WINDOWS\system32\cgomggsb.dll
2008-05-27 06:28:12 370688 --a------ C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
2008-05-24 10:04:40 200774 --a------ C:\WINDOWS\system32\rcntqkdn.exe
2008-05-23 23:07:10 118272 --a------ C:\WINDOWS\system32\uijitegj.dll
2008-05-23 23:04:12 2560 --a------ C:\WINDOWS\system32\ybvdjuja.exe
2008-05-22 18:15:26 109568 --a------ C:\WINDOWS\system32\dtfplvvr.dll
2008-05-21 02:30:41 118784 --a------ C:\WINDOWS\system32\osekmspk.dll
2008-05-21 02:27:40 2560 --a------ C:\WINDOWS\system32\xocghdwl.exe
2008-05-21 02:25:08 109056 --a------ C:\WINDOWS\system32\bjkuuqyn.dll
2008-05-20 02:33:48 2560 --a------ C:\WINDOWS\system32\kfgulyku.exe
2008-05-20 02:27:48 118272 --a------ C:\WINDOWS\system32\rjbyftql.dll
2008-05-20 02:24:48 109056 --a------ C:\WINDOWS\system32\ftbvsqkh.dll
2008-05-19 21:27:47 401972 --a------ C:\WINDOWS\system32\g46.exe
2008-05-19 21:21:45 49175 --a------ C:\WINDOWS\system32\jpwnw64n.exe <Not Verified; ; Browser Driver>
2008-05-19 14:23:12 805568 --ahs---- C:\WINDOWS\system32\PrBKmnpo.ini2
2008-05-19 14:18:34 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-19 14:18:21 200768 --a------ C:\WINDOWS\system32\rcntqkdm.exe
2008-05-19 14:18:21 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-19 14:18:18 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-19 14:18:17 0 d--hs---- C:\WINDOWS\V2lsbGll
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\polX
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\binR
2008-05-19 14:18:14 0 d-------- C:\WINDOWS\system32\3036a
2008-05-19 14:18:10 0 d-------- C:\WINDOWS\system32\logXv18
2008-05-19 06:55:20 439808 --a------ C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-28 21:32:16 0 d-------- C:\Program Files\Trend Micro
2008-05-18 10:16:23 0 d-------- C:\Program Files\PeerGuardian2
2008-05-18 09:59:01 0 d-------- C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2008-05-11 13:03:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 14:43:08 0 d-------- C:\Program Files\Common Files
2008-04-25 14:43:08 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-25 14:43:06 0 d-------- C:\Program Files\TechSmith
2008-03-23 21:17:34 29696 ---hs---- C:\Start.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35a269b8-c509-07d2-55b0-024895864284}]
05/27/2008 06:28 AM 370688 --a------ C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f93251b6-5423-859e-8b13-4777f967cb86}]
05/19/2008 06:55 AM 439808 --a------ C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeadAIM"="C:\PROGRA~1\AIM95\\DeadAIM.ocm" [02/24/2003 04:11 PM]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 03:50 AM]
"MBM 5"="C:\Program Files\Motherboard Monitor 5\MBM5.EXE" [02/19/2004 06:47 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 09:33 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/24/2004 04:13 AM]
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 12:34 AM C:\WINDOWS\soundman.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security\pccguide.exe" [02/02/2006 11:35 PM]
"PCClient.exe"="C:\Program Files\Trend Micro\Internet Security\PCClient.exe" [02/02/2006 11:35 PM]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" [02/02/2006 11:35 PM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/20/2004 05:12 PM]
"Fellowes Proxy"="C:\WINDOWS\system32\r3proxy.exe" [03/25/2004 02:13 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [06/12/2005 04:53 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 01:35 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\Willie\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/25/2004 10:30:35 PM]
PeerGuardian.lnk - C:\Program Files\PeerGuardian2\pg2.exe [2/25/2005 3:12:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 1:05:56 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Willie^Start Menu^Programs^Startup^Drempels Desktop.lnk]
path=C:\Documents and Settings\Willie\Start Menu\Programs\Startup\Drempels Desktop.lnk
backup=C:\WINDOWS\pss\Drempels Desktop.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"C:\Program Files\ATI Multimedia\main\launchpd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
MMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7 Tray Control]
"C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PP8 Reminder]
"C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"SymWSC"=2 (0x2)
"Bonjour Service"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
Auto\command- C:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
Auto\command- H:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ed777a6-41eb-11da-8815-806d6172696f}]
AutoRun\command- G:\LaunchEAW.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a1aeb4e-14c7-11dc-8f11-cc0ba6dc8b00}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86932982-12df-11dd-90d2-0012178c02c5}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ab1b20-9acb-11db-8e88-0012178c02c5}]
Auto\command- I:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf6980f-6a64-11d9-a00f-000d61603c10}]
Auto\command- J:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- End of Deckard's System Scanner: finished at 2008-05-29 00:59:03 ------------

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 May 2008 - 04:04 AM

Hi imahappychicken,

The DSS scan shows that your Trend Micro security package has outdated definitions. Without the latest definitions, this program cannot protect you effectively so please update it immediately. If the subscription has expired, either renew it or remove the program and install an alternative package. There are several free packages available, two of the most popular are here:
Antivir: http://www.free-av.com/
Avast!: http://www.avast.com...avast-home.html

Please ensure you have one up-to-date antivirus program installed before continuing

------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

BSPlayer
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_06
JavaT 6 Update 2
JavaT 6 Update 3
JavaT 6 Update 5
JavaT SE Runtime Environment 6 Update 1

BSPlayer contains adware, and the Java installations are out of date and now a security risk, you can get the latest update (version 6 update 6) from here and install it when your machine is clean.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
These entries should be removed via Add/Remove Programs:

Viewpoint Manager (Remove Only)
Viewpoint Media Player


Party Poker has been reported as being malware-related so I strongly recommend you remove it.
To do so, uninstall PartyPoker via Add/Remove Programs

You have Ares, Azureus, BitTornado and WinMX, P2P file sharing programs installed on your computer. These programs do not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I strongly recommend you remove these via Add/Remove Programs.

------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

O2 - BHO: gooochi browser optimizer - {35a269b8-c509-07d2-55b0-024895864284} - C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
O2 - BHO: mysidesearch browser optimizer - {f93251b6-5423-859e-8b13-4777f967cb86} - C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll

If you removed Party Poker, then you can also check these entries (if present):

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Backup Your Registry:
  • Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
  • Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll-uninst.exe
    C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll-uninst.exe
    C:\WINDOWS\system32\rcntqkdm.exe
    c:\windows\system32\jpwnw64n.exe
    C:\Start.exe
    C:\WINDOWS\V2lsbGll
    C:\WINDOWS\system32\polX
    C:\WINDOWS\system32\GUI2
    C:\WINDOWS\system32\binR
    C:\WINDOWS\system32\3036a
    C:\WINDOWS\system32\logXv18
    C:\WINDOWS\system32\tuvUMCUo.dll
    C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll
    C:\WINDOWS\system32\gside.exe
    C:\WINDOWS\system32\rcntqkdm.exe
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\winpfz33.sys
    C:\WINDOWS\system32\PrBKmnpo.ini2
    C:\WINDOWS\system32\opnmKBrP.dll
    C:\WINDOWS\system32\jpwnw64n.exe
    C:\WINDOWS\system32\g46.exe
    C:\WINDOWS\system32\rjbyftql.dll
    C:\WINDOWS\system32\ftbvsqkh.dll
    C:\WINDOWS\system32\kfgulyku.exe
    C:\WINDOWS\system32\bjkuuqyn.dll
    C:\WINDOWS\system32\xocghdwl.exe
    C:\WINDOWS\system32\osekmspk.dll
    C:\WINDOWS\system32\dtfplvvr.dll
    C:\WINDOWS\system32\ybvdjuja.exe
    C:\WINDOWS\system32\uijitegj.dll
    C:\WINDOWS\system32\rcntqkdn.exe
    C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll
    C:\WINDOWS\system32\cgomggsb.dll
    C:\WINDOWS\system32\efiiblys.dll
    C:\WINDOWS\system32\avwgbpyp.exe
    C:\WINDOWS\system32\ouhtrpjx.dll
    C:\WINDOWS\system32\npebkveb.exe
    C:\WINDOWS\system32\wqhxmxhi.dll
    C:\WINDOWS\system32\xvnjnkon.dll
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a1aeb4e-14c7-11dc-8f11-cc0ba6dc8b00}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86932982-12df-11dd-90d2-0012178c02c5}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ab1b20-9acb-11db-8e88-0012178c02c5}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf6980f-6a64-11d9-a00f-000d61603c10}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
  • Close OTMoveIt2

------------------------------------------------------------------------

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

cmd /c dir "C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}" /a /s >> "%userprofile%\desktop\results2.txt

A black box will open and a file will appear on your Desktop called results2.txt.
Post the contents of results2.txt in your next response.

------------------------------------------------------------------------

Once complete, please post the OTMoveIt report, the results2.txt output and a new HijackThis log.
ASAP & UNITE Member

#7 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 29 May 2008 - 05:58 PM

Here is the result2.txt, OTMoveIt.txt, and New HiJackThis Log

results2.txt
----------------------------------

Volume in drive C has no label.
Volume Serial Number is 1C79-AFBF

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}

05/18/2008 09:59 AM <DIR> .
05/18/2008 09:59 AM <DIR> ..
08/06/2004 12:46 PM <DIR> recovery
03/29/2008 03:04 PM 23 vercheck.dat
1 File(s) 23 bytes

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}\recovery

08/06/2004 12:46 PM <DIR> .
08/06/2004 12:46 PM <DIR> ..
05/18/2008 09:59 AM <DIR> datacache
08/06/2004 12:46 PM <DIR> icons
08/06/2004 12:46 PM <DIR> piececache
08/06/2004 12:46 PM <DIR> torrentcache
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}\recovery\datacache

05/18/2008 09:59 AM <DIR> .
05/18/2008 09:59 AM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}\recovery\icons

08/06/2004 12:46 PM <DIR> .
08/06/2004 12:46 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}\recovery\piececache

08/06/2004 12:46 PM <DIR> .
08/06/2004 12:46 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Willie\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}\recovery\torrentcache

08/06/2004 12:46 PM <DIR> .
08/06/2004 12:46 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
1 File(s) 23 bytes
17 Dir(s) 9,824,264,192 bytes free


OTMoveIt
-----------------------------------

C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll-uninst.exe moved successfully.
C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll-uninst.exe moved successfully.
C:\WINDOWS\system32\rcntqkdm.exe moved successfully.
c:\windows\system32\jpwnw64n.exe moved successfully.
C:\Start.exe moved successfully.
C:\WINDOWS\V2lsbGll moved successfully.
C:\WINDOWS\system32\polX moved successfully.
C:\WINDOWS\system32\GUI2 moved successfully.
C:\WINDOWS\system32\binR moved successfully.
C:\WINDOWS\system32\3036a moved successfully.
C:\WINDOWS\system32\logXv18 moved successfully.
File/Folder C:\WINDOWS\system32\tuvUMCUo.dll not found.
File/Folder C:\WINDOWS\system32\{c49881cf-856e-41eb-b440-a4d2e8e678c8}.dll not found.
C:\WINDOWS\system32\gside.exe moved successfully.
File/Folder C:\WINDOWS\system32\rcntqkdm.exe not found.
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\system32\winpfz33.sys moved successfully.
C:\WINDOWS\system32\PrBKmnpo.ini2 moved successfully.
File/Folder C:\WINDOWS\system32\opnmKBrP.dll not found.
File/Folder C:\WINDOWS\system32\jpwnw64n.exe not found.
C:\WINDOWS\system32\g46.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\rjbyftql.dll
C:\WINDOWS\system32\rjbyftql.dll NOT unregistered.
C:\WINDOWS\system32\rjbyftql.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ftbvsqkh.dll
C:\WINDOWS\system32\ftbvsqkh.dll NOT unregistered.
C:\WINDOWS\system32\ftbvsqkh.dll moved successfully.
C:\WINDOWS\system32\kfgulyku.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\bjkuuqyn.dll
C:\WINDOWS\system32\bjkuuqyn.dll NOT unregistered.
C:\WINDOWS\system32\bjkuuqyn.dll moved successfully.
C:\WINDOWS\system32\xocghdwl.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\osekmspk.dll
C:\WINDOWS\system32\osekmspk.dll NOT unregistered.
C:\WINDOWS\system32\osekmspk.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\dtfplvvr.dll
C:\WINDOWS\system32\dtfplvvr.dll NOT unregistered.
C:\WINDOWS\system32\dtfplvvr.dll moved successfully.
C:\WINDOWS\system32\ybvdjuja.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\uijitegj.dll
C:\WINDOWS\system32\uijitegj.dll NOT unregistered.
C:\WINDOWS\system32\uijitegj.dll moved successfully.
C:\WINDOWS\system32\rcntqkdn.exe moved successfully.
File/Folder C:\WINDOWS\system32\{c1457e45-2013-cdd8-a672-dd83d89a14e6}.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\cgomggsb.dll
C:\WINDOWS\system32\cgomggsb.dll NOT unregistered.
C:\WINDOWS\system32\cgomggsb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\efiiblys.dll
C:\WINDOWS\system32\efiiblys.dll NOT unregistered.
C:\WINDOWS\system32\efiiblys.dll moved successfully.
C:\WINDOWS\system32\avwgbpyp.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ouhtrpjx.dll
C:\WINDOWS\system32\ouhtrpjx.dll NOT unregistered.
C:\WINDOWS\system32\ouhtrpjx.dll moved successfully.
C:\WINDOWS\system32\npebkveb.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wqhxmxhi.dll
C:\WINDOWS\system32\wqhxmxhi.dll NOT unregistered.
C:\WINDOWS\system32\wqhxmxhi.dll moved successfully.
File/Folder C:\WINDOWS\system32\xvnjnkon.dll not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a1aeb4e-14c7-11dc-8f11-cc0ba6dc8b00} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a1aeb4e-14c7-11dc-8f11-cc0ba6dc8b00}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86932982-12df-11dd-90d2-0012178c02c5} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86932982-12df-11dd-90d2-0012178c02c5}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ab1b20-9acb-11db-8e88-0012178c02c5} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ab1b20-9acb-11db-8e88-0012178c02c5}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf6980f-6a64-11d9-a00f-000d61603c10} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf6980f-6a64-11d9-a00f-000d61603c10}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05292008_165339


HiJackThis
-----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:35 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10227 bytes

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 May 2008 - 09:30 PM

Hi imahappychicken,

Please open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button
Scroll down the list and find this entry:

Enhancement Browser Tools Gooochi

Click it to highlight it, then press Delete this entry
Repeat for these entries:

MySidesearch Search Assistant Adzgalore
winvi (remove only)

Then close HijackThis

please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Next and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save Report As... button, change Save as type: to Text file and save the file to your desktop as Kaspersky.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the Kaspersky report and a new HijackThis log. Also, let me know how your computer is running now.
ASAP & UNITE Member

#9 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 30 May 2008 - 11:10 AM

Here is the Kaspersky.txt and a new HijackThis Log.

The computer is definitely running alot better thanks, the desktop is back to normal and the random popups seem to have stopped.


Kaspersky.txt
------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 10:08:34 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 814380
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 179797
Number of viruses found: 17
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 04:20:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\cert8.db Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\history.dat Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\key3.db Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\parent.lock Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Willie\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Willie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Willie\Desktop\requested-files[2008-05-29_00_51].cab/C:/Start.exe Infected: Trojan.Win32.VB.cng skipped
C:\Documents and Settings\Willie\Desktop\requested-files[2008-05-29_00_51].cab CAB: infected - 1 skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Application Data\Mozilla\Firefox\Profiles\9f3t5f2i.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\20RUP8E5\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\KY8ENEHA\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\U0WP6PT1\myss_install_2[1].exe/data0003 Infected: Trojan.Win32.BHO.cmd skipped
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\U0WP6PT1\myss_install_2[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Willie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Willie\ntuser.dat.LOG Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-29.23-45-48.log Object is locked skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\SDFix\backups\backups.zip/backups/lsass.exe Infected: Trojan.Win32.VB.cng skipped
C:\SDFix\backups\backups.zip/backups/mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\SDFix\backups\backups.zip/backups/mrofinu1188.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\SDFix\backups\backups.zip/backups/rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\SDFix\backups\backups.zip/backups/update.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip/backups/update.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip/backups/update.exe Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip ZIP: infected - 7 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1715\A0194056.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1715\A0194057.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1715\A0194062.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1715\A0194064.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1715\A0194065.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.szt skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194247.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194285.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194285.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194285.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194298.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194299.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194303.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194313.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194314.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194326.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194327.exe Infected: Trojan-Downloader.Win32.Homles.bl skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194332.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194337.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194337.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1718\A0194337.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1731\A0196570.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{1B1FA884-AF1C-40A7-9B32-8FF2FEE25BAF}\RP1731\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\madCHook.dll Infected: not-a-virus:RiskTool.Win32.Hooker.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\Start.exe Infected: Trojan.Win32.VB.cng skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\binR\Wvram13.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\g46.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\g46.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\g46.exe NSIS: infected - 2 skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\GUI2\FI-dt4x.exe Infected: Trojan.Win32.Agent.lom skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\jpwnw64n.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\logXv18\logXv182328.exe Infected: Trojan-Downloader.Win32.VB.enh skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\polX\roEbdll2.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\polX\roEbdll2.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\polX\roEbdll2.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\polX\roEbdll2.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\polX\roEbdll2.exe NSIS: infected - 4 skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\rcntqkdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\_OTMoveIt\MovedFiles\05292008_165339\WINDOWS\system32\rcntqkdn.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
H:\Start.exe Infected: Trojan.Win32.VB.cng skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


HijackThis Log
------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:00 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10085 bytes

#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 30 May 2008 - 08:05 PM

Hi imahappychicken,

Great to hear things are running better, just a few things left to do:

Clean with OTMoveIt once more:
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt File List:
    H:\Start.exe
    undll.zip
    undll.exe
    C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\20RUP8E5\17PHolmes[1].cmt
    C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\KY8ENEHA\17PHolmes[1].cmt
    C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\U0WP6PT1\myss_install_2[1].exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot. Save the report for posting with your next response.

Clean up with OTMoveIt2:
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Kaspersky flagged a component of Daemon Tools because it is bundled with an adware toolbar - if you install this program please take care to install it without the toolbar - you are offered the choice during the installation.

Re-hide hidden/system files and folders:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Do not show hidden files and folders
CHECK the Hide extensions for known file types option
CHECK the Hide protected operating system files (recommended) option
Press OK

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Once complete, please post the OTMoveIt report and tell me if you had any difficulties with the instructions.
ASAP & UNITE Member

    Advertisements

Register to Remove


#11 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 31 May 2008 - 05:22 PM

I'm afraid that my computer has suddenly take a turn for the worst =[. I turned on my computer to continue with fixing the original problem when something else occurred. The computer would boot up and get past the login screen. It begins to load windows, yet it seems to freeze after a few minutes. The mouse still moves, but it does not click or anything. The entire screen seems to be frozen except for the movement of the mouse. I have to force shutdown the computer. I have tried it again and again with the same result. It worked once and I managed to get the first step done of your last response, but when I rebooted the computer, the same freezing happened again. It must be some sort of virus because I went into safe mode and everything seems to be working fine. Just when I thought things were finally starting to clear up, this happens =[. What do you think it is and what can I do now? Thanks again, ~Justin

#12 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 31 May 2008 - 08:08 PM

I don't yet know what could be the cause of the problem, but we'll try and get your machine sorted. Are you able to download any tools at this point? If possible, please save a copy of the previous OTMoveIt instructions, boot into Safe Mode and repeat them but stop before performing the Cleanup. Then, post the OTMoveIt report along with a new HijackThis log and we'll take it from there.
ASAP & UNITE Member

#13 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 31 May 2008 - 10:16 PM

Here's the report from the last OTMoveIt and new HijackThis Log

OTMoveIt
----------------------------

File move failed. H:\Start.exe scheduled to be moved on reboot.
undll.zip moved successfully.
File/Folder undll.exe not found.
< C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\20RUP8E5\17PHolmes[1].cmt >
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\20RUP8E5\17PHolmes[1].cmt moved successfully.
< C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\KY8ENEHA\17PHolmes[1].cmt >
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\KY8ENEHA\17PHolmes[1].cmt moved successfully.
< C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\U0WP6PT1\myss_install_2[1].exe >
C:\Documents and Settings\Willie\Local Settings\Temporary Internet Files\Content.IE5\U0WP6PT1\myss_install_2[1].exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05312008_120311

Files moved on Reboot...
H:\Start.exe moved successfully.

Files moved on Reboot...
File H:\Start.exe not found!

Files moved on Reboot...
File H:\Start.exe not found!

Files moved on Reboot...
File H:\Start.exe not found!


HijackThis Log
---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:35 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...04/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094057243417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10103 bytes

#14 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 01 June 2008 - 04:20 AM

Hi imahappychicken,

Your HijackThis log looks good so I doubt that malware has caused the latest problem. We need to finish the cleanup before doing anything else, so please try to complete the cleanup instructions, but we'll leave the old Restore Points in place for now:

Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt2 as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Re-hide hidden/system files and folders:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Do not show hidden files and folders
CHECK the Hide extensions for known file types option
CHECK the Hide protected operating system files (recommended) option
Press OK

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Once complete, tell me if you had any problems with the instructions and how your computer is running.

Edited by silver, 01 June 2008 - 04:21 AM.

ASAP & UNITE Member

#15 imahappychicken

imahappychicken

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 01 June 2008 - 03:51 PM

Everything seems to be okay, the freezing thing doesn't seem to be happening at the moment and all the instructions were cut and dry and easy to do, I guess all there is now is to wait and see if anything else pops up. Thanks so much for all your help, I couldn't have done anything with out y'all. I'll keep you posted incase something else comes up. Thanks so much, ~Justin P.S. When/Can I get rid of those programs like the erunt and sfp?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users