Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Cannot Remove Virus/Trojan

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Cannot Remove Virus/Trojan

Reply to Message Icon

Name: stuck_with_dell
Date: January 31, 2007 at 11:18:16 Pacific
OS: Windows Xp SP2
CPU/Ram: P4 2.0ghz/256mb RAM
Product: Dell Dimension 4500
Comment:

Hello i have a big problem with a virus/trojan/spyware thing. Im not sure what this one is classified as but, i cannot remove it. I use Pest Patrol Ad-Aware and spybot. Only Pest Patrol finds it and i guess it doesnt do anything about it either because it shows up on every scan.
The Pest Patrol name is "Bifrost", with nothing else. The location is only in the System32 folder and goes by the name of explorer..exe. When i go into the folder i cant see it and i have hidden files enabled. I manually found it in the regisrty too.

HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/Run/"startkey"-explorer..exe
HKCU/SAME
also there was one more location which i manually found but i cant remember it. I also tried Hijack This, it finds it but again it cannot delete it. Please help me remove this crap thing from my pc.



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: January 31, 2007 at 14:09:37 Pacific
Reply:

Please post your Hijack This log.

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


0

Response Number 2
Name: stuck_with_dell
Date: January 31, 2007 at 15:15:31 Pacific
Reply:

First is the SmitfraudFix text log:
SmitFraudFix v2.137

Scan done at 18:11:41.70, Wed 01/31/2007
Run from C:\Documents and Settings\Valentin Pavlov\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User Name


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User Name\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the HIJACK THIS log:
Logfile of HijackThis v1.99.1
Scan saved at 6:14:32 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - \\Bimbo\f\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_10) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O18 - Protocol hijack: mhtml -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



0

Response Number 3
Name: stuck_with_dell
Date: January 31, 2007 at 15:16:55 Pacific
Reply:

First is the SmitfraudFix text log:
SmitFraudFix v2.137

Scan done at 18:11:41.70, Wed 01/31/2007
Run from C:\Documents and Settings\User Name\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User Name


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User Name\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the HIJACK THIS log:
Logfile of HijackThis v1.99.1
Scan saved at 6:14:32 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - \\Bimbo\f\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_10) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O18 - Protocol hijack: mhtml -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



0

Response Number 4
Name: jabuck
Date: January 31, 2007 at 19:37:11 Pacific
Reply:

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode

Temporarily disable any of the following anti-spyware realtime protection programs that you may have or the fix will not work Disable Realtime Protection

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)

O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)

O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -

O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_10) -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -

O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

O18 - Protocol hijack: mhtml -

Exit Hijack This but remain in safe mode.

Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\explorer..exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.


Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

reboot into safe mode again

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Post the AVG-AntiSpyware log and a new Hijack This log.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/combofix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the combofix.txt log.


0

Response Number 5
Name: stuck_with_dell
Date: January 31, 2007 at 19:50:15 Pacific
Reply:

Alright thx alot for the help, i will do all of that and post another message tommorow or the next day. Sorry for the double post, i dont know what happened and for some reason i couldn't delete it.


0

Related Posts

See More



Response Number 6
Name: kidtangerine
Date: February 2, 2007 at 03:03:28 Pacific
Reply:

jabuck, how come you didn't recommend Windows Defender for Spyware detection? I notice a lot of people don't use it, I was trying to find a good reason why it's not used more often. it's not great, but none of them are. I know that obscure products like AVG, AVAST, and FPROT are good disinfecting a machine once it compromised because any well written spyware/virus is going to kill norton and trend before you can do anything to get it off. Avast has a really cool feature of providing a boot disk to boot off of with the last signatures, and to scan the drive without windows loaded the problem, and avast also has a feature where it will ask you to reboot and scan the hard drive from the screen hardware detection phase of booting an NT machine 2000, or XP. It looks cool seeing a non M$ app really using the capabilities of the OS.

Stupidest People Alive can be found here.


0

Response Number 7
Name: stuck_with_dell
Date: February 2, 2007 at 14:10:34 Pacific
Reply:

Well all of the above products mentioned are bad. In my case Win Defender, FPROT, found nothing wrong. Avast! found it but it did nothing, and i'm talking about a boot time scan. Anyway i am almost done with the um cleaning up.
BTW could you help me remove a couple of installed programs-i removed them but they keep popping up. These are SpeeditupEX, diskeeper, and daemon tools.


0

Response Number 8
Name: jabuck
Date: February 2, 2007 at 14:22:51 Pacific
Reply:

Lets get the spyware/viri cleaned up then we will look at your other problems. Be sure to post the the combofix log after you post the AVG-AntiSpyware log.


0

Response Number 9
Name: stuck_with_dell
Date: February 4, 2007 at 11:45:18 Pacific
Reply:

Alright i spent a night scanning with Spybot, Ad-Aware, Pest Patrol, Ez Trust AV,AVG, and Rootkit Revealer-just to see if it finds anything. Ad Aware only found tracking cookies, Spybot found Recently Opened Lists, Ez Trust did not find anything, Avg found a back door-ill post it below,RootkitRevealear found some rootkits in ComboFix, also found some embedded nulls and other stuff-ill post it below, and Pest Patrol found yours truly Bifrost!!! That thing is still not removed. I have no clue why its still here but it is. It
found it in the Registry as HKEY_Current_user-software-microsoft-windows-current version-run-"startkey". It again points to C:windows\system32\explorer..exe.
Here are the Logs:
RootkitRevealer Log:

HKU\.DEFAULT\Control Panel\international_combofixbackup 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\international_combofixbackup\Geo 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Control Panel\international_combofixbackup 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Control Panel\international_combofixbackup\Geo 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Software\Microsoft\command processor_combofixbackup 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\international_combofixbackup 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\international_combofixbackup\Geo 2/1/2007 5:15 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 11/15/2001 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/15/2001 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg 1/18/2007 6:46 PM 0 bytes Access is denied.

HijackThis Log:
fLogfile of HijackThis v1.99.1
Scan saved at 2:28:53 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:[no address given]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PQZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\PQZ.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

AVG LOG:

AVG Anti-Spyware - Scan Report


+ Created at: 12:51:03 PM 2/4/2007

+ Scan result:

F:\Downloads\Game\Game\Game -> Backdoor.Hupigon.kg : Cleaned with backup (quarantined).


::Report end

Also i found something else, when i click on my clock and then timezones i only have a patch of green and not that many timezones, could it be that its virus stricken too?



0

Response Number 10
Name: jabuck
Date: February 4, 2007 at 12:18:11 Pacific
Reply:

Please download SDFix by AndyManchesta and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.


Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


0

Response Number 11
Name: stuck_with_dell
Date: February 4, 2007 at 14:04:06 Pacific
Reply:

heres the sdfix log, and the new hijack this log:

SDFIX:

SDFix: Version 1.63

Sun 02/04/2007 - 16:08:37.82

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found..


ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Sierra\\Empire Earth - The Art of Conquest\\EE-AOC.exe"="C:\\Sierra\\Empire Earth - The Art of Conquest\\EE-AOC.exe:*:Enabled:EE-AOC"
"C:\\Program Files\\MSN Gaming Zone\\zclient.exe"="C:\\Program Files\\MSN Gaming Zone\\zclient.exe:*:Enabled:Zone Datafile"
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"="C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth"
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"="C:\\WINDOWS\\SYSTEM32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Fox\\No One Lives Forever\\lithtech.exe"="C:\\Program Files\\Fox\\No One Lives Forever\\lithtech.exe:*:Enabled:Client"
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"="C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\grouper\\Grouper.exe"="C:\\Program Files\\grouper\\Grouper.exe:*:Enabled:Grouper"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\trlrm\\RMHSvc.exe"="C:\\WINDOWS\\trlrm\\RMHSvc.exe:*:Enabled:RMHSvc.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\trlrm\\RMHSvc.exe"="C:\\WINDOWS\\trlrm\\RMHSvc.exe:*:Enabled:RMHSvc.exe"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\DVDMPEG2Enc.dll
C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\NeASL.dll
C:\WINDOWS\SYSTEM32\dcab6_s.dll
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Picasa2\setup.exe
C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\movie_maker.exe
C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Road Runner PhotoShow Deluxe.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\SYSTEM32\PackethSvc.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\LocalService\NTUSER.DAT.tmp.LOG
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.tmp.LOG
C:\Documents and Settings\NetworkService\NTUSER.DAT.tmp.LOG
C:\Documents and Settings\Valentin Pavlov\ntuser.dat.tmp.LOG
C:\Documents and Settings\Valentin Pavlov\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG

Finished

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 5:03:20 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\{C0FF380A-B6AB-4B89-B529-96F2E4283C32}\sidebar.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:[no address given]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PQZ - Unknown owner - C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\PQZ.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


0

Response Number 12
Name: jabuck
Date: February 4, 2007 at 15:47:10 Pacific
Reply:

Ok, sdfix is missing it for some reason so lets try it manually again but a little differently.

Go offline and boot into safemode.

Turn off your antivirus, disable teatimer, windows defender and SpyEraser. If spysweeper is still installed, uninstall it please.

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Run Hijack This and remove these items:

O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)

O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)

O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

Exit Hijack This but remain in safe mode.

Navigate to and delete this file:

C:\WINDOWS\system32\explorer..exe

Reboot the computer, your antivirus should restart automatically but leave the antispyware programs off for now. Post a new Hijack this log please.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/combofix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the combofix.txt log.


0

Response Number 13
Name: stuck_with_dell
Date: February 11, 2007 at 14:45:41 Pacific
Reply:

Alright heres the combo fix log, Partial User Name is my main user name and it is not the whole but a partial one. Partial User Name 2 is the other user name.
::::::::::::::::::::::::::::::::::::::::::::::::
"User Name" - 07-02-11 16:33:21 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\User Name\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\INSTALL.LOG
C:\INSTALL.LOG
C:\WINDOWS\Downloaded Program Files\Quarantine
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\SYSTEM32\ASKS~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 14:00 <DIR> d-------- C:\mtaserver-win32-v1.1.1
2007-02-10 15:34 14 --a------ C:\WINDOWS\SYSTEM32\getfile.dat
2007-02-05 17:12 <DIR> d-------- C:\Program Files\Common Files\SystemRequirementsLab
2007-02-05 17:12 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\System Requirements Lab
2007-02-04 15:37 <DIR> d-------- C:\SAV32CLI
2007-02-04 15:32 <DIR> d-------- C:\SDFix
2007-02-03 22:43 <DIR> d-------- C:\Program Files\Microsoft Small Business
2007-02-03 22:38 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-02-03 22:33 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-02-02 17:29 <DIR> d-------- C:\DOCUME~1\VALENT~1\Application Data\Leadertech
2007-02-02 17:22 <DIR> d-------- C:\BoostXP
2007-02-01 23:52 <DIR> d-------- C:\Program Files\RareFind
2007-02-01 21:36 <DIR> d-------- C:\DOCUME~1\VALENT~1\Application Data\Individual Software
2007-02-01 21:28 92,208 --a------ C:\WINDOWS\SYSTEM\wing.dll
2007-02-01 21:28 26,112 --a------ C:\WINDOWS\SYSTEM\Wavmix16.dll
2007-02-01 21:28 26,112 --a------ C:\WINDOWS\SYSTEM\Wavemix.dll
2007-02-01 21:28 188,960 --a------ C:\WINDOWS\SYSTEM\wingde.dll
2007-02-01 21:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Individual Software

2007-02-01 21:27 <DIR> d-------- C:\Program Files\Common Files\Individual Software
2007-01-31 22:59 <DIR> d-------- C:\!KillBox
2007-01-31 22:55 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-31 22:55 <DIR> d-------- C:\Program Files\Grisoft
2007-01-31 18:11 4,568 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-01-31 18:10 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe
2007-01-31 18:10 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-01-31 18:10 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-01-31 18:10 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2007-01-31 18:10 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-01-31 18:10 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2007-01-31 16:45 <DIR> d-------- C:\Program Files\MSBuild
2007-01-31 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-01-31 16:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-01-31 16:36 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-01-27 01:22 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-01-25 16:13 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\Xfire
2007-01-24 21:24 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-01-24 20:51 <DIR> d-------- C:\Program Files\Thoosje's Sidebar
2007-01-24 14:44 7,287,808 --a------ C:\WINDOWS\SYSTEM32\vistaui.exe
2007-01-24 14:44 414,223 --a------ C:\WINDOWS\SYSTEM32\vimc.exe
2007-01-24 14:44 <DIR> d-------- C:\Program Files\VisualTooltip
2007-01-24 14:44 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-01-24 14:44 <DIR> d-------- C:\Program Files\LClock
2007-01-24 14:44 <DIR> d-------- C:\Program Files\Blaero Start Orb
2007-01-24 14:44 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\Stardock
2007-01-24 14:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\VITrans
2007-01-24 14:37 8,636 --a------ C:\WINDOWS\SYSTEM32\modifype.exe
2007-01-24 14:37 69,632 --a------ C:\WINDOWS\SYSTEM32\moveex.exe
2007-01-24 14:37 19,968 --a------ C:\WINDOWS\SYSTEM32\reico.exe
2007-01-24 14:37 111,104 --a------ C:\WINDOWS\SYSTEM32\Uharc.exe
2007-01-24 13:20 81,920 --a------ C:\WINDOWS\SYSTEM32\closeapp.exe
2007-01-24 13:20 <DIR> d-------- C:\VTPFiles
2007-01-23 17:58 <DIR> d-------- C:\Program Files\Lavalys
2007-01-23 17:39 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-01-23 16:06 <DIR> d-------- C:\WINDOWS\.file_store_32
2007-01-21 21:34 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-21 21:04 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\dvdcss
2007-01-20 19:05 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-20 19:05 <DIR> d-------- C:\Fraps
2007-01-20 15:31 <DIR> d-------- C:\Program Files\Electronic Arts
2007-01-19 20:37 <DIR> d-------- C:\NFSMWDemo
2007-01-18 19:48 <DIR> d-------- C:\DOCUME~1\Partial User Name 2~1\Application Data\Teleca
2007-01-18 18:45 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-01-17 19:07 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-01-17 19:07 <DIR> d-------- C:\DOCUME~1\VALENT~1\SecurityScans
2007-01-16 18:37 <DIR> d-------- C:\Program Files\Easy SpyRemover
2007-01-15 23:50 <DIR> d-------- C:\DOCUME~1\Partial User Name2~1\Application Data\vlc
2007-01-15 22:29 <DIR> d-------- C:\DOCUME~1\Partial User Name2~1\Application Data\Xfire
2007-01-15 22:15 <DIR> d-------- C:\DOCUME~1\Partial User Name2~1\Application Data\TrojanHunter
2007-01-15 22:08 <DIR> d-------- C:\DOCUME~1\Partial User Name 2~1\Application Data\ESTsoft
2007-01-15 18:33 5 --ahs---- C:\WINDOWS\SYSTEM32\dcab6_s.dll
2007-01-15 18:33 <DIR> d-------- C:\Program Files\jv16 PowerTools 2006
2007-01-15 16:27 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-01-15 13:15 2,419,200 --a------ C:\WINDOWS\SYSTEM32\PhotoExplorer2.scr
2007-01-15 13:15 <DIR> d-------- C:\Program Files\Systweak BoostXP2
2007-01-15 12:43 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\Systweak
2007-01-14 19:09 36 -r-h----- C:\WINDOWS\sued.dat
2007-01-14 18:04 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\Teleca
2007-01-13 19:43 <DIR> d-------- C:\DOCUME~1\Partial User Name~1\Application Data\Creative
2007-01-13 19:30 24 --a------ C:\WINDOWS\SYSTEM32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80221102}.dat
2007-01-13 19:30 24 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000001-00001102-00000002-80221102}.dat
2007-01-13 19:27 69,632 --a------ C:\WINDOWS\SYSTEM32\KemXML.dll
2007-01-13 19:27 3,712 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\LBeepKE.sys
2007-01-13 19:27 155,648 --a------ C:\WINDOWS\SYSTEM32\kemutb.dll
2007-01-13 19:27 131,072 --a------ C:\WINDOWS\SYSTEM32\KemUtil.dll
2007-01-13 19:27 110,592 --a------ C:\WINDOWS\SYSTEM32\KemWnd.dll
2007-01-13 19:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Creative
2007-01-13 19:23 <DIR> d-------- C:\Media
2007-01-13 19:11 <DIR> d--h----- C:\DOCUME~1\Partial User Name 2~1\Application Data\Gtek
2007-01-13 19:11 <DIR> d-------- C:\Program Files\Dell Support
2007-01-13 19:11 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Gtek
2007-01-13 19:11 <DIR> d-------- C:\DOCUME~1\Guest\Application Data\Gtek
2007-01-13 19:11 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Gtek
2007-01-13 19:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Gtek
2007-01-13 18:14 77,824 --a------ C:\WINDOWS\SYSTEM32\EAXAC3.DLL
2007-01-13 18:14 61,440 --a------ C:\WINDOWS\MIDIDEF.exe
2007-01-13 18:14 49,152 --a------ C:\WINDOWS\SYSTEM32\KILLAPPS.exe
2007-01-13 18:14 36,864 --a------ C:\WINDOWS\SYSTEM32\sfman32.dll
2007-01-13 18:14 36,864 --a------ C:\WINDOWS\SYSTEM32\REGPLIB.exe
2007-01-13 17:47 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2007-01-13 12:02 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-01-13 11:51 60,416 --------- C:\WINDOWS\SYSTEM32\tzchange.exe
2007-01-13 11:50 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-01-13 11:50 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-01-13 11:50 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-01-13 11:48 <DIR> d-------- C:\WINDOWS\network diagnostic


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 16:28 -------- d-------- C:\Program Files\mozilla firefox
2007-02-11 14:53 -------- d-------- C:\DOCUME~1\Partial User Name~1\Application Data\skype
2007-02-10 00:00 -------- d-------- C:\Program Files\speedfan
2007-02-07 20:26 8911 --a------ C:\WINDOWS\mozver.dat
2007-02-02 17:36 -------- d-------- C:\Program Files\google
2007-02-02 17:30 -------- d-------- C:\Program Files\dell computer
2007-02-02 17:28 -------- d--h----- C:\Program Files\installshield installation information
2007-02-02 17:28 -------- d-------- C:\Program Files\ea games
2007-01-25 20:07 21840 --a----t- C:\WINDOWS\SYSTEM32\sintfnt.dll
2007-01-25 20:07 17212 --a----t- C:\WINDOWS\SYSTEM32\sintf32.dll
2007-01-25 20:07 12067 --a----t- C:\WINDOWS\SYSTEM32\sintf16.dll
2007-01-21 19:22 -------- d-------- C:\Program Files\picasa2
2007-01-21 19:18 -------- d-------- C:\DOCUME~1\Partial User Name~1\Application Data\adobe
2007-01-21 19:17 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-21 17:42 -------- d-------- C:\Program Files\pc wizard 2006
2007-01-18 18:41 639224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
2007-01-15 19:00 -------- d-------- C:\Program Files\microsoft antispyware
2007-01-15 12:21 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-14 17:49 -------- d-------- C:\DOCUME~1\Partial User Name~1\Application Data\talkback
2007-01-13 23:11 -------- d---s---- C:\DOCUME~1\Partial User Name~1\Application Data\microsoft
2007-01-13 23:06 -------- d-------- C:\Program Files\logitech
2007-01-13 23:05 -------- d-------- C:\Program Files\intel
2007-01-13 19:26 -------- d-------- C:\Program Files\Common Files\logitech
2007-01-13 19:24 -------- d-------- C:\Program Files\creative
2007-01-13 19:11 262144 --a------ C:\ntuser.dat
2007-01-10 19:55 16224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hamachi.sys
2006-12-28 14:59 -------- d-------- C:\Program Files\windows media connect 2
2006-12-27 14:37 2048 --a------ C:\WINDOWS\SYSTEM32\tr_sttool.dat
2006-12-24 22:53 -------- d-------- C:\Program Files\imtoo
2006-12-24 16:22 -------- d-------- C:\Program Files\sony ericsson
2006-12-24 16:22 -------- d-------- C:\Program Files\Common Files\teleca shared
2006-12-24 16:18 -------- d-------- C:\Program Files\disc2phone
2006-12-21 17:29 -------- d-------- C:\Program Files\java
2006-12-21 12:36 356352 --a------ C:\WINDOWS\SYSTEM32\nvuninst.exe
2006-12-21 12:36 356352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2006-12-21 08:36 40960 --a------ C:\WINDOWS\SYSTEM32\frapsvid.dll
2006-12-13 23:16 -------- dr------- C:\Program Files\sony dsc-200
2006-11-13 05:20 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2006-11-13 01:02 1866240 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"WINDVDPatch"="CTHELPER.EXE"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"LClock"="C:\\Program Files\\LClock\\LClock.exe"
"Vista Sidebar"="C:\\Program Files\\Vista Sidebar\\sidebar.exe"
"VisualTooltip"="C:\\Program Files\\VisualTooltip\\VisualToolTip.exe"
"Blaero Start Orb"="C:\\Program Files\\Blaero Start Orb\\Blaero Start Orb.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.exe"
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\setup]
" IEradicator 2001"=""
" © 1999-2003 LitePC Technologies"=""
" http://www.LitePC.com"=""
" ___________________________"=""
" "=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="F:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 16:42:32


0

Response Number 14
Name: jabuck
Date: February 11, 2007 at 17:55:11 Pacific
Reply:

Please post a new Hijack This log.


0

Response Number 15
Name: stuck_with_dell
Date: February 11, 2007 at 19:24:13 Pacific
Reply:

Heres the hijack this log below, um i have a question about my firewall. I have the etrust firewall-is it a good one? and are 69975 intrusions with 495 high rated alot?
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Logfile of HijackThis v1.99.1
Scan saved at 10:19:46 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ip2state.com/map.asp?s=i...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PQZ - Unknown owner - C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\PQZ.exe (file missing)
O23 - Service: Streamload Service (StreamloadService) - Streamload - F:\Program Files\Streamload\AMD LIVE! Media Vault\StreamloadService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



0

Response Number 16
Name: jabuck
Date: February 11, 2007 at 19:49:21 Pacific
Reply:

I use zonealarm free for my firewall, and have not heard any complaints on etrust.

You should uninstall this rogue spyware program "easyspyware remover" then navigate to and delete this folder:

C:\Program Files\Easy SpyRemover

Run Hijack This and remove these items:

O16 - DPF: Yahoo! Pool 2 -

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -

O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -

O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

Exit Hijack This.

Your java is out of date and my be haow you got infected. Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Post a new Hijack This log please.



0

Response Number 17
Name: stuck_with_dell
Date: February 12, 2007 at 14:40:51 Pacific
Reply:

Hmm i don't remember ever installing easy spyware remover..Ill post the log soon.


0

Response Number 18
Name: stuck_with_dell
Date: February 12, 2007 at 15:11:29 Pacific
Reply:

Heres the new HijackThis log:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::
Logfile of HijackThis v1.99.1
Scan saved at 6:06:33 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Vista sidebar.lnk = C:\Documents and Settings\User Name\Desktop\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - F:\Program Files\Streamload\AMD LIVE! Media Vault\StreamloadService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


I saw a couple of things on the log myself which i would like to remove but ill leave that until the system is cleaned up.


0

Response Number 19
Name: stuck_with_dell
Date: February 12, 2007 at 15:15:14 Pacific
Reply:

Also from your one of your post you said to remove explorer..exe from the System32 folder but it again wasn't there even with all the options enabled.


0

Response Number 20
Name: jabuck
Date: February 12, 2007 at 19:11:01 Pacific
Reply:

I believe sdfix removed explorer..exe and we just did not clean it out of the registry run folder so it was still showing up.

The new log is clean. Is the computer running ok now or has any scans detected bifrost?



0

Response Number 21
Name: stuck_with_dell
Date: February 14, 2007 at 20:49:29 Pacific
Reply:

I have not yet ran Pest Patrol because my pc is been a bit noisy lately so for this reason i turn it off at night, but i will probably do the scan tommorow night. I think i am clean though because i checked out spybot's startup objects and i did not see explorer or any bhos but i will do another scan.


0

Response Number 22
Name: stuck_with_dell
Date: February 17, 2007 at 22:35:06 Pacific
Reply:

Alright i have ran Pest Patrol every night each time restarting my pc, on each time it was clean until that is now. Bifrost was once again detected. I have no clue how or why its still there but it is. Heres a link to the pest patrol bifrost thing-im pretty sure i have bifrost-a http://www3.ca.com/securityadvisor/...

Heres a Fresh HIJACK this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:56 AM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pestpatrol.com/pestinfo/...
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CacheBoost] F:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Systweak India - F:\Program Files\CacheBoost\cbsrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


0

Response Number 23
Name: jabuck
Date: February 18, 2007 at 09:05:00 Pacific
Reply:

Please download Comboscan from this link:

Comboscan


Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Please download and run Catchme from this link http://www.gmer.net/catchme.php then post the results of the scan.


0

Response Number 24
Name: stuck_with_dell
Date: February 18, 2007 at 10:30:54 Pacific
Reply:

Alright i have the results. Catch me found absolutely nothing, the only rootkit detection that found anything was rootkit revealer, ill post the results below just incase they are needed. Im not sure where the hijack this log help forum is so ill post everything below:

RootKit Revealer Scan:
HKU\.DEFAULT\Control Panel\International 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Control Panel\International 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Control Panel\International\Geo 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2888137882-3485517607-2614902147-1006\Software\Microsoft\Command Processor 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 11/15/2001 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/15/2001 8:45 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 2/11/2007 4:42 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 2/18/2007 1:13 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 2/18/2007 1:13 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg 1/18/2007 6:46 PM 0 bytes Access is denied.


ComboScan:

ComboScan v20070212.14 run by User Name on 2007-02-18 at 12:54:19
Computer is in Normal Mode.
----------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis log (run as User Name.----------

Logfile of HijackThis v1.99.1
Scan saved at 12:54:50 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User Name\Desktop\comboscan.exe
C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\~dvyygin.tmp\User Name.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:chris.winkelman@case.edu
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {8C053D33-8CF1-8E22-D913-8B1D876640CA} - (no file)
O2 - BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)
O2 - BHO: (no name) - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CacheBoost] F:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Systweak India - F:\Program Files\CacheBoost\cbsrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\Documents and Settings\User Name\Desktop\---

backup-20070211-155303-139 O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
backup-20070211-155303-206 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ip2location.com/
backup-20070211-155303-235 O4 - HKLM\..\Run: [QuickTime Plugin Install] C:\Program Files\QuickTime\Plugins\DeleteMe1.exe
backup-20070211-155303-338 O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
backup-20070211-155303-383 O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe -MINI
backup-20070211-155303-429 O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
backup-20070211-155303-624 O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
backup-20070211-155303-755 O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
backup-20070211-155303-840 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070211-155303-872 O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
backup-20070211-155303-953 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070212-175509-735 O16 - DPF: Yahoo! Pool 2 -
backup-20070212-175511-974 O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -
backup-20070212-175512-208 O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
backup-20070212-175513-346 O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
backup-20070212-175514-269 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
backup-20070212-175514-492 O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
backup-20070212-175515-258 O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
backup-20070212-175516-194 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
backup-20070212-175516-768 O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
backup-20070212-175516-964 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
backup-20070212-175517-171 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
backup-20070212-175517-335 O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} -
backup-20070212-175518-728 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
backup-20070212-175518-753 O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} -
backup-20070212-175518-901 O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
backup-20070212-175519-483 O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -
backup-20070212-175519-485 O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
backup-20070212-175519-973 O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} -
backup-20070212-175520-585 O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
backup-20070212-175520-911 O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
backup-20070212-175521-780 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
backup-20070212-180228-425 O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20070212-180229-822 O23 - Service: PQZ - Unknown owner - C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\PQZ.exe (file missing)
backup-20070218-013738-409 O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe


-- File Associat-------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.exe %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.exe %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
[COLOR=red].reg - regfile - "c:\program files\uniblue\spyeraser\spyeraser.exe" "%1" .reg[/COLOR]
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.exe %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
3 BCMModem (BCM V.92 56K Modem) - System32\DRIVERS\BCMSM.sys
3 bdfdll - \??\F:\Program Files\Softwin\BitDefender9\bdfdll.sys
3 BRIDGE (MAC Bridge) - System32\DRIVERS\bridge.sys
3 BridgeMP (MAC Bridge Miniport) - System32\DRIVERS\bridge.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
3 CCDECODE (Closed Caption Decoder) - system32\DRIVERS\CCDECODE.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
3 CLPCIID - \??\C:\Program Files\CyberLink\PowerDVD\clpciid.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
3 CO_Mon - \??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
3 ctac32k (Creative AC3 Software Decoder) - System32\drivers\ctac32k.sys
3 ctaud2k (Creative Audio Driver (WDM)) - system32\drivers\ctaud2k.sys
3 ctljystk (Creative SBLive! Gameport) - System32\DRIVERS\ctljystk.sys
3 ctlsb16 (Creative SB16/AWE32/AWE64 Driver (WDM)) - system32\drivers\ctlsb16.sys
3 ctprxy2k (Creative Proxy Driver) - System32\drivers\ctprxy2k.sys
3 ctsfm2k (Creative SoundFont Management Device Driver) - System32\drivers\ctsfm2k.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
3 dtscsi - \SystemRoot\System32\Drivers\dtscsi.sys
3 DVC (USB DVC Svc) - System32\Drivers\DVC.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
3 emu10k (Creative SB Live! (WDM)) - system32\drivers\emu10k1m.sys
3 emu10k1 (Creative Interface Manager Driver (WDM)) - system32\drivers\ctlfacem.sys
3 emupia (E-mu Plug-in Architecture Driver) - System32\drivers\emupia2k.sys
3 ENTECH - \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS
0 giveio - system32\giveio.sys
3 ha10kx2k (Creative Hardware Abstract Layer Driver) - system32\drivers\ha10kx2k.sys
3 hamachi (Hamachi Network Interface) - system32\DRIVERS\hamachi.sys
3 HCWBT8xx (Hauppauge WinTV 848/9 WDM Video Driver) - system32\drivers\HCWBT8XX.sys
3 HidUsb (Microsoft HID Class Driver) - System32\DRIVERS\hidusb.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
4 hpt3xx - \SystemRoot\System32\DRIVERS\hpt3xx.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
0 IdeBusDr - system32\DRIVERS\IdeBusDr.sys
0 IdeChnDr (Intel(R) Ultra ATA Controller) - system32\DRIVERS\IdeChnDr.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
1 intelppm (Intel Processor Driver) - System32\DRIVERS\intelppm.sys
2 irda (IrDA Protocol) - System32\DRIVERS\irda.sys
3 irsir (Microsoft Serial Infrared Driver) - System32\DRIVERS\irsir.sys
3 jbridgep - \??\C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\jbridgep.sys
1 kbdhid (Keyboard HID Driver) - system32\DRIVERS\kbdhid.sys
3 L8042Kbd (Logitech SetPoint Keyboard Driver) - System32\Drivers\L8042Kbd.sys
3 L8042mou (Logitech SetPoint PS/2 Mouse Filter Driver) - system32\DRIVERS\L8042mou.Sys
3 LHidKe (SetPoint HID Mouse Filter Driver) - system32\DRIVERS\LHidKE.Sys
3 LMouKE (SetPoint Mouse Filter Driver) - system32\DRIVERS\LMouKE.Sys
3 mamotou - system32\DRIVERS\mamotou.sys
2 MaVctrl - system32\DRIVERS\MaVc2K.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys
3 NABTSFEC (NABTS/FEC VBI Codec) - system32\DRIVERS\NABTSFEC.sys
3 NdisIP (Microsoft TV/Video Connection) - system32\DRIVERS\NdisIP.sys
3 nm (Network Monitor Driver) - System32\DRIVERS\NMnt.sys
3 NPF (Netgroup Packet Filter) - system32\drivers\npf.sys
1 NPPTNT2 - \??\C:\WINDOWS\system32\npptNT2.sys
3 nv - System32\DRIVERS\nv4_mini.sys
3 nv4 - System32\DRIVERS\nv4.sys
2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - System32\DRIVERS\nwlnkipx.sys
2 NwlnkNb (NWLink NetBIOS) - System32\DRIVERS\nwlnknb.sys
2 NwlnkSpx (NWLink SPX/SPXII Protocol) - System32\DRIVERS\nwlnkspx.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
1 oreans32 - \??\C:\WINDOWS\system32\drivers\oreans32.sys
3 ossrv (Creative OS Services Driver) - system32\drivers\ctoss2k.sys
1 P3 (Intel PentiumIII Processor Driver) - System32\DRIVERS\p3.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
2 PfModNT - \??\C:\WINDOWS\system32\PfModNT.sys
2 portD (CMS PortIO Service) - system32\DRIVERS\portd2k.sys
0 PxHelp20 - System32\DRIVERS\PxHelp20.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 Rasirda (WAN Miniport (IrDA)) - System32\DRIVERS\rasirda.sys
3 RivaTuner32 - \??\C:\Program Files\RivaTuner v2.0 RC 16.1\RivaTuner32.sys
3 ROOTMODEM (Microsoft Legacy Modem Driver) - System32\Drivers\RootMdm.sys
3 rtl8139 (Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver) - System32\DRIVERS\RTL8139.SYS
3 sfman (Creative SoundFont Manager Driver (WDM)) - system32\drivers\sfmanm.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 SLIP (BDA Slip De-Framer) - system32\DRIVERS\SLIP.sys
3 SMBios (Intel (R) System Management BIOS Service) - system32\DRIVERS\SMBios.sys
3 smbusp (Intel(R) SMBus 2.0 Driver) - system32\DRIVERS\smb.sys
3 SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - System32\DRIVERS\SONYPVU1.SYS
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
0 speedfan - system32\speedfan.sys
0 sptd - System32\Drivers\sptd.sys
3 streamip (BDA IPSink) - system32\DRIVERS\StreamIP.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
3 SymEvent - \??\C:\Program Files\Symantec\SYMEVENT.SYS
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
1 SysTool (SysTool Overclocking Utility) - system32\DRIVERS\SysTool.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
3 TVICHW32 - \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbaudio (USB Audio Driver (WDM)) - system32\drivers\usbaudio.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbser (Motorola USB Modem Driver) - system32\DRIVERS\usbser.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
3 USB_RNDIS (USB Remote NDIS Network Device Driver) - system32\DRIVERS\usb8023.sys
3 vaxscsi - \SystemRoot\System32\Drivers\vaxscsi.sys
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
1 vsdatant - System32\vsdatant.sys
3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - system32\DRIVERS\w810bus.sys
3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - system32\DRIVERS\w810mdfl.sys
3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - system32\DRIVERS\w810mdm.sys
3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - system32\DRIVERS\w810mgmt.sys
3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - system32\DRIVERS\w810obex.sys
3 wanatw (WAN Miniport (ATW)) - System32\DRIVERS\wanatw4.sys
3 wandrv (WAN Network Driver) - System32\DRIVERS\wandrv.sys
4 WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - \SystemRoot\System32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - system32\DRIVERS\WSTCODEC.SYS
3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys
3 XTrapD12 - \??\C:\WINDOWS\system32\XTrapD12.sys
3 zlportio - \??\C:\Program Files\WinKeeper\zlportio.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4 AOL ACS (AOL Connectivity Service) - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
4 AOLService (AOL Spyware Protection Service) - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2 CacheBoost Service (CacheBoost Performance Optimizer and Tuner Service) - F:\Program Files\CacheBoost\cbsrv.exe
2 CAISafe - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
2 Creative Service for CDROM Access - C:\WINDOWS\System32\CTsvcCDA.exe
2 DeepsightExtractor (Deepsight Extractor) - F:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
3 FontCache3.0.0.0 (Windows Presentation Foundation Font Cache 3.0.0.0) - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
3 gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3 IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3 idsvc (Windows CardSpace) - "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
2 Irmon (Infrared Monitor) - %SystemRoot%\System32\svchost.exe -k netsvcs
4 NetTcpPortSharing (Net.Tcp Port Sharing Service) - "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
2 NVSvc (NVIDIA Display Driver Service) - %SystemRoot%\system32\nvsvc32.exe
4 PQZ - C:\DOCUME~1\VALENT~1\LOCALS~1\Temp\PQZ.exe
3 usprserv (User Privilege Service) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 VETMSGNT (VET Message Service) - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
2 vsmon (TrueVector Internet Monitor) - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
3 WmcCdsLs (Windows Media Connect (WMC) Helper) - C:\Program Files\Windows Media Connect\mswmcls.exe
2 WMDM PMSP Service - C:\WINDOWS\System32\MsPMSPSv.exe
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
3 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup


-- Scheduled T---------

2007-02-12 16:58:09 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job<MPSCHE~2.JOB>


-- Files created between 2007-01-18 and 20----------

2007-02-18 11:36:43 0 d-------- C:\Program Files\PC Wizard 2007<PCWIZA~2>
2007-02-15 22:38:14 0 d-------- C:\AdvSysOpt<ADVSYS~1>
2007-02-15 20:12:24 0 d-------- C:\WINDOWS\system32\VIRepair
2007-02-12 23:20:05 0 d-------- C:\Documents and Settings\User Name\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-02-12 23:17:09 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>
2007-02-12 18:03:04 0 d-------- C:\Program Files\Common Files\Java
2007-02-11 14:00:16 0 d-------- C:\mtaserver-win32-v1.1.1<MTASER~1.1>
2007-02-10 15:34:36 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-02-05 17:12:21 0 d-------- C:\Program Files\Common Files\SystemRequirementsLab<SYSTEM~1>
2007-02-05 17:12:12 0 d-------- C:\Documents and Settings\User Name\Application Data\System Requirements Lab<SYSTEM~1>
2007-02-04 15:37:27 0 d-------- C:\SAV32CLI
2007-02-04 15:32:47 0 d-------- C:\SDFix
2007-02-03 22:33:50 0 d-------- C:\Program Files\Microsoft SQL Server<MI6841~1>
2007-02-02 17:29:39 0 d-------- C:\Documents and Settings\User Name\Application Data\Leadertech<LEADER~1>
2007-02-02 17:22:08 0 d-------- C:\BoostXP
2007-02-01 23:52:11 0 d-------- C:\Program Files\RareFind
2007-02-01 21:36:24 0 d-------- C:\Documents and Settings\User Name\Application Data\Individual Software<INDIVI~1>
2007-02-01 21:28:20 188960 --a------ C:\WINDOWS\system\wingde.dll<Unsigned: Microsoft Corporation>
2007-02-01 21:28:20 92208 --a------ C:\WINDOWS\system\wing.dll<Unsigned: Microsoft Corporation>
2007-02-01 21:28:20 26112 --a------ C:\WINDOWS\system\Wavmix16.dll<Unsigned: Microsoft Corporation>
2007-02-01 21:28:19 26112 --a------ C:\WINDOWS\system\Wavemix.dll<Unsigned: Microsoft Corporation>
2007-02-01 21:28:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Individual Software<INDIVI~1>
2007-02-01 21:27:02 0 d-------- C:\Program Files\Typing Instructor Deluxe<TYPING~1>
2007-02-01 21:27:02 0 d-------- C:\Program Files\Common Files\Individual Software<INDIVI~1>
2007-01-31 22:59:46 0 d-------- C:\!KillBox
2007-01-31 18:11:43 4568 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-31 18:10:23 79360 --a------ C:\WINDOWS\system32\swxcacls.exe<Unsigned: SteelWerX>
2007-01-31 18:10:23 40960 --a------ C:\WINDOWS\system32\swsc.exe<Unsigned: n/a>
2007-01-31 18:10:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe<Unsigned: S!Ri>
2007-01-31 18:10:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe<Unsigned: n/a>
2007-01-31 18:10:22 135168 --a------ C:\WINDOWS\system32\swreg.exe<Unsigned: SteelWerX>
2007-01-31 18:10:22 53248 --a------ C:\WINDOWS\system32\Process.exe<Unsigned: http://www.beyondlogic.org>
2007-01-31 16:45:34 0 d-------- C:\Program Files\MSBuild
2007-01-31 16:39:43 0 d-------- C:\WINDOWS\system32\XPSViewer<XPSVIE~1>
2007-01-31 16:38:21 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-01-27 01:22:07 0 d-------- C:\Program Files\AviSynth 2.5<AVISYN~1.5>
2007-01-25 16:13:28 0 d-------- C:\Documents and Settings\User Name\Application Data\Xfire
2007-01-24 20:51:13 0 d-------- C:\Program Files\Thoosje's Sidebar<THOOSJ~1>
2007-01-24 14:44:39 0 d-------- C:\Documents and Settings\User Name\Application Data\Stardock
2007-01-24 14:37:33 111104 --a------ C:\WINDOWS\system32\Uharc.exe<Unsigned: n/a>
2007-01-24 14:37:33 19968 --a------ C:\WINDOWS\system32\reico.exe<Unsigned: Dead Knight>
2007-01-24 14:37:33 69632 --a------ C:\WINDOWS\system32\moveex.exe<Unsigned: n/a>
2007-01-24 14:37:33 8636 --a------ C:\WINDOWS\system32\modifype.exe<Unsigned: n/a>
2007-01-24 13:20:33 0 d-------- C:\VTPFiles
2007-01-24 13:20:21 81920 --a------ C:\WINDOWS\system32\closeapp.exe<Unsigned: Noël Danjou>
2007-01-23 17:39:55 0 d-------- C:\WINDOWS\McAfee.com
2007-01-23 16:06:39 0 d-------- C:\WINDOWS\.file_store_32<FILE_S~1>
2007-01-21 21:04:55 0 d-------- C:\Documents and Settings\User Name\Application Data\dvdcss
2007-01-20 19:05:42 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-01-20 15:31:19 0 d-------- C:\Program Files\Electronic Arts<ELECTR~1>
2007-01-19 20:37:19 0 d-------- C:\NFSMWDemo<NFSMWD~1>
2007-01-18 19:48:04 0 d-------- C:\Documents and Settings\User Name2\Application Data\Teleca
2007-01-18 18:45:14 0 d-------- C:\Program Files\Alcohol Soft<ALCOHO~1>


-- Find3M Re-----------

2007-02-18 12:27:39 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-17 22:07:26 0 d-------- C:\Program Files\SpeedFan
2007-02-17 22:02:24 0 d-------- C:\Documents and Settings\Valentin Pavlov\Application Data\Skype
2007-02-15 22:23:50 41 --a------ C:\WINDOWS\system32\dcab6_s.dll<Unsigned: n/a>
2007-02-15 18:59:23 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-15 18:57:14 0 d-------- C:\Program Files\ESTsoft
2007-02-15 18:55:30 262144 --a------ C:\ntuser.dat
2007-02-15 18:54:28 0 d-------- C:\Program Files\Dell
2007-02-12 18:03:04 0 d-------- C:\Program Files\Java
2007-02-12 09:34:25 0 --a------ C:\Documents and Settings\User Name\Application Data\bf21b48d-c3e0-4dbf-b9b5-6e73ce1c8fe8<BF21B4~1>
2007-02-11 18:10:41 262 --a------ C:\Documents and Settings\User Name\Application Data\WinssCookie.txt<WINSSC~1.TXT>
2007-02-07 20:26:08 8911 --a------ C:\WINDOWS\mozver.dat
2007-02-02 17:36:20 0 d-------- C:\Program Files\Google
2007-02-02 17:30:50 0 d-------- C:\Program Files\Dell Computer<DELLCO~1>
2007-02-02 17:28:05 0 d-------- C:\Program Files\EA Games<EAGAME~1>
2007-01-25 20:07:37 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll<Unsigned: n/a>
2007-01-25 20:07:36 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll<Unsigned: n/a>
2007-01-25 20:07:36 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll<Unsigned: n/a>
2007-01-21 19:22:29 0 d-------- C:\Program Files\Picasa2
2007-01-21 19:18:40 0 d-------- C:\Documents and Settings\User Name\Application Data\Adobe
2007-01-21 19:17:32 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-21 17:42:00 0 d-------- C:\Program Files\PC Wizard 2006<PCWIZA~1>
2007-01-21 16:30:43 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80221102}.dat<DVCSTA~2.DAT>
2007-01-21 16:30:43 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80221102}.dat<DVCSTA~1.DAT>
2007-01-18 18:41:00 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys<Unsigned: n/a>
2007-01-16 18:36:33 36 -r-h----- C:\WINDOWS\sued.dat
2007-01-15 19:00:08 0 d-------- C:\Program Files\Microsoft AntiSpyware<MIAF83~1>
2007-01-15 16:27:18 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys<Unsigned: n/a>
2007-01-15 12:43:38 0 d-------- C:\Documents and Settings\User Name\Application Data\Systweak
2007-01-15 12:21:45 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-01-14 18:04:52 0 d-------- C:\Documents and Settings\User Name\Application Data\Teleca
2007-01-14 17:49:46 0 d-------- C:\Documents and Settings\User Name\Application Data\Talkback
2007-01-13 23:11:27 0 d---s---- C:\Documents and Settings\User Name\Application Data\Microsoft<MICROS~1>
2007-01-13 23:06:28 0 d-------- C:\Program Files\Logitech
2007-01-13 23:05:50 0 d-------- C:\Program Files\Intel
2007-01-13 19:43:45 0 d-------- C:\Documents and Settings\User Name\Application Data\Creative
2007-01-13 19:26:24 0 d-------- C:\Program Files\Common Files\Logitech
2007-01-13 19:24:23 0 d-------- C:\Program Files\Creative
2007-01-13 19:11:20 0 d-------- C:\Program Files\Dell Support<DELLSU~1>
2007-01-13 17:47:12 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS<Unsigned: EnTech Taiwan>
2007-01-13 12:02:30 0 d-------- C:\Program Files\NVIDIA Corporation<NVIDIA~1>
2007-01-10 19:55:26 16224 --a------ C:\WINDOWS\system32\drivers\hamachi.sys<Signed: LogMeIn, Inc.>
2006-12-28 14:59:05 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2006-12-27 14:37:11 2048 --a------ C:\WINDOWS\system32\Tr_sttool.dat<TR_STT~1.DAT>
2006-12-24 22:53:52 0 d-------- C:\Program Files\ImTOO
2006-12-24 16:22:28 0 d-------- C:\Program Files\Common Files\Teleca Shared<TELECA~1>
2006-12-24 16:22:04 0 d-------- C:\Program Files\Sony Ericsson<SONYER~1>
2006-12-24 16:18:25 0 d-------- C:\Program Files\Disc2Phone<DISC2P~1>
2006-12-21 12:36:44 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE<Unsigned: NVIDIA Corporation>
2006-12-21 12:36:44 356352 --a------ C:\WINDOWS\system32\nvudisp.exe<Unsigned: NVIDIA Corporation>
2006-12-21 08:36:10 40960 --a------ C:\WINDOWS\system32\frapsvid.dll<Unsigned: Beepa P/L>


-- Registry -----------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SpybotSD TeaTimer"="F:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpeedItUpEX"="C:\\Program Files\\SpeedItUpExtreme\\SpeedItUpEx.exe -MINI"
"Uniblue SpyEraser"="\"C:\\Program Files\\Uniblue\\SpyEraser\\SpyEraser.exe\" -m"
"startkey"="C:\\WINDOWS\\system32\\explorer..exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"WINDVDPatch"="CTHELPER.EXE"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"CacheBoost"="F:\\Program Files\\CacheBoost\\trayicon.exe"
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Plugin Install"="C:\\Program Files\\QuickTime\\Plugins\\DeleteMe1.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"DAEMON Tools"="\"F:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\setup]
" IEradicator 2001"=""
" © 1999-2003 LitePC Technologies"=""
" http://www.LitePC.com"=""
" ___________________________"=""
" "=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of ComboScan: finished at 2007-02-18 at 12:5-

Supplementary:

ComboScan v20070212.14 run by User Name on 2007-02-18 at 12:54:19
Supplementary logfile - please post this as an attachment with your post.
----------------------

-- System Informa------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 254.8 MiB / 72.9 MiB
Pagefile Memory (total/avail): 623.39 MiB / 488.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1998.19 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 8.99 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 186.31 GiB total, 147.87 GiB free.


-- Security Ce---------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: eTrust EZ Firewall v5.1.039.004 (Computer Associates, Inc.)
AV: eTrust EZ Antivirus v7.0.6.7 (Computer Associates)


-- Environment Varia---

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User Name\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BIMBO
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User Name
LOGONSERVER=\\BIMBO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;F:\Program Files\ESTsoft\ALZip\;C:\Program Files\Common Files\Teleca Shared;F:\Program Files\ESTsoft\ALZip\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Partial User Name~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\Partial User Name~1\LOCALS~1\Temp
USERDOMAIN=BIMBO
USERNAME=User Name
USERPROFILE=C:\Documents and Settings\User Name
windir=C:\WINDOWS


-- User Prof-----------

Owner [I](admin)[/I]
User Name [I](admin)[/I]
[I](admin)[/I]
User Name 2 [I](admin)[/I]
Administrator [I](admin)[/I]
Guest [I](new local, guest)[/I]


-- Add/Remove Prog-----

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "F:\Program Files\Creative\SBLive\Program\Ctzapxx.exe" /X /U /S
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> F:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.exe F:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.exe -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.exe C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Age of Empires III -->
ALZip --> "F:\Program Files\ESTsoft\ALZip\unins000.exe"
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BounceBack Express --> C:\WINDOWS\BBUninstall.exe
Cablenut 4.08 --> C:\Program Files\Cablenut\uninst-cablenut.exe
Call of Duty --> F:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u F:\PROGRA~1\CALLOF~1\Uninstall\Install.log
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Classic PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Creative PlayCenter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\Setup.exe" -l0x9 /remove
Dell | Support --> MsiExec.exe /X{91E8A85F-2960-40ED-BA84-7F4567BB00C0}
Dell Modem-On-Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Delta Force - Black Hawk Down --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8FE54D21-8254-4CCF-AEE0-066496AE43F4}\setup.exe" -l0x9 -uninst
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DVC5.0 Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57E0EA5F-D0A3-4036-A69B-269A469EC5B4}\Setup.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Empire Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2447500B-22D7-47BD-9B13-1A927F43A267}\SETUP.exe"
Empire Earth - The Art of Conquest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B49C924C-A651-4378-94F6-5D9BF44A959F}\Setup.exe" -l0x9
eTrust EZ Armor --> C:\Program Files\CA\eTrust EZ Armor\uninst.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\setup.exe" -l0x9
GTA San Andreas --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\SETUP.exe" -l0x9 -removeonly
GTA2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2987EE84-C4EE-4FF5-8160-32DE00D6ABC6}\Setup.exe" -l0x9
Help and Support Customization -->
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\Documents and Settings\User Name\Desktop\HijackThis.exe /uninstall
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
James Bond 007: Nightfire --> C:\PROGRA~1\EAGAME~1\NIGHTF~1\UNWISE.exe C:\PROGRA~1\EAGAME~1\NIGHTF~1\INSTALL.LOG
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
KhalSetup --> MsiExec.exe /I{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}
Lexar USB Memory Stick Reader --> C:\WINDOWS\ISUNINST.exe -fC:\PROGRA~1\Lexar\USBMEM~1\LXusbpdr.ISU -cC:\PROGRA~1\Lexar\USBMEM~1\ONUNINST.DLL
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
LucasArts' The Phantom Menace --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LucasArts\The Phantom Menace\DeIsL1.isu"
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" UNINSTALL
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Midtown Madness 2 --> "C:\Program Files\Microsoft Games\Midtown Madness 2\UNINSTAL.exe" /runtemp /addremove
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.1) --> F:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MTA: Race for San Andreas - Server 1.1.1 --> F:\Program Files\MTA San Andreas\Server\Uninstall.exe
MTA: Race for San Andreas 1.1.1 --> F:\Program Files\MTA San Andreas\Uninstall.exe
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
No One Lives Forever - Game of the Year Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE3E60BC-F29F-4E7B-A110-B538387D34DA}\Setup.exe" -l0x9
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
PaperlessPrinter version 3.0 --> "C:\Program Files\RareFind\PaperlessPrinter\unins000.exe"
PC Wizard 2006.1.71 --> "C:\Program Files\PC Wizard 2006\unins000.exe"
PC Wizard 2007.1.72 --> "C:\Program Files\PC Wizard 2007\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Picture Package --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PSP Video 9 1.74 --> F:\Program Files\pspvideo9\uninst.exe
Realtek RTL8139 Diagnostics Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7FC2AF73-10ED-404E-84A8-636B452404FD}\setup.exe"
RivaTuner v2.0 RC 16.1 --> "C:\Program Files\RivaTuner v2.0 RC 16.1\uninstall.exe"
Road Runner Medic 5.3 --> C:\WINDOWS\unins001.exe
Road Runner PhotoShow Deluxe 4 --> "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Xtras\Uninstall.exe"
Samsung Camcorder USB-D03 Capture Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A52E1D3-7C17-4EE9-9137-D4B1B3060653}\Setup.exe" customuninstall
SimCity 3000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000\Uninst.isu"
SimTheme Park --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SimTheme Park\Uninst.isu" -c"C:\Program Files\SimTheme Park\uninst.dll" -BFLANG=1033
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
Sony Ericsson PC Suite 1.20.207 --> MsiExec.exe /I{009E1B9F-DB7E-48D4-8881-AD86F38614B4}
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Sound Blaster Live! Value --> C:\Program Files\Creative\Uninstall\CTUNINST.exe /U:UNINST1.INI
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spider-Man (tm) Movie --> C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\UNWISE.exe C:\PROGRA~1\ACTIVI~1\SPIDER~1\UNINST~1\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "F:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars®: Knights of the Old Republic (TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}\setup.exe" -l0x9
System Requirements Lab --> C:\Program Files\Common Files\SystemRequirementsLab\Uninstall.exe
Systweak Advanced Registry Optimizer (Shareware Release) --> "F:\Program Files\Advanced Registry Optimizer\unins000.exe"
Systweak CacheBoost Professional Edition (Demo Version) --> "F:\Program Files\CacheBoost\unins000.exe"
The Italian Job --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B58561BB-0425-458C-B9C4-44618814BA70}\setup.exe" -l0x9
Theme Park World Fix --> MsiExec.exe /I{42082D6A-7C60-4CD9-B6FC-81E6F1FA96EF}
Typing Instructor Deluxe --> C:\PROGRA~1\TYPING~1\UNWISE.exe C:\PROGRA~1\TYPING~1\INSTALL.LOG
Ulead Photo Express 4.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBC0D330-C37B-4472-BFB9-AA217CF0C95F}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.6 --> F:\Program Files\VideoLAN\VLC\uninstall.exe
WebFldrs XP -->
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Connect --> msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect --> MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Wolfenstein - Enemy Territory --> F:\PROGRA~1\WOLFEN~1\Uninstall\Unwise.exe /u F:\PROGRA~1\WOLFEN~1\Uninstall\Install.log
Works Suite OS Pack -->
Works Synchronization -->
Xfire (remove only) --> "F:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- End of ComboScan: finished at 2007-02-18 at 12:5-



0

Response Number 25
Name: stuck_with_dell
Date: February 18, 2007 at 23:27:24 Pacific
Reply:

In one of your above posts you asked me if my pc has been behaving strangely. I monitored it for a couple of days-restarting, doing maintenance i got some interesting results. Bifrost would sometimes show up on the startup and sometimes it wouldnt. Also when i load windows,on the log on screen my pc seems to use a ton of resources because well 3 times i had to do hard reboots since when i click my user name nothing happens-its like its frozen or something. Also i have had different memory usages sometimes low and sometimes high-i run exactly the same always. Also svchost.exe has been using alot of ram lately-usually in the 30mbs but ive seen it go near the high 40s. And Finnaly i decided to try and remove some of the bhos-they came back and only one gave me a problem. I deleted with hijack this and then my tea timer-spybot would ask me, do you want to add this bho to your startup list and i say no+remember this and then i would countless of popups saying that it denied the startup of the bho.

BHO:BHO: (no name) - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - (no file)


0

Response Number 26
Name: jabuck
Date: February 19, 2007 at 19:23:44 Pacific
Reply:

That MD5, {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E}, belong to "Trlokom IE Toolbar" which is supposed to be legit.

Please download Grinler's Pfind from this link:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe

Unzip it to the desktop, by double-clicking on it and clicking Extract.
Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while.
When it has finished it will product a text document. Please copy and paste the contents of that document into this thread.


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Cannot Remove Virus/Trojan
cannot remove virus or dll www.computing.net/answers/security/cannot-remove-virus-or-dll/10382.html

Cannot remove/find Trojan www.computing.net/answers/security/cannot-removefind-trojan/18086.html

Cryp_Neb-2, Mal_FakeAV-11 virus cannot remove www.computing.net/answers/security/crypneb2-malfakeav11-virus-cannot-remove/27381.html